Conceptual

Deployment Protection on Vercel

Learn how to secure your Vercel project's preview and production URLs with Deployment Protection. Configure fine-grained access control at the project level for different deployment environments.
Table of Contents

Deployment Protection safeguards both your preview and production URLs across various environments. Configured at the project level through your settings, Deployment Protection provides detailed access control for different deployment types.

Vercel offers the following Deployment Protection features:

  • Vercel Authentication: Restricts access to your deployments to only Vercel users with suitable access rights. Vercel Authentication is available on all plans
  • Password Protection: Restricts access to your deployments to only users with the correct password. Password Protection is available on the Enterprise plan, or as a paid add-on for Pro plans
  • Trusted IPs: Restricts access to your deployments to only users with the correct IP address. Trusted IPs is available on the Enterprise plan

Deployment Protection is managed through your project settings. To configure Deployment Protection:

  1. From the dashboard, select the project you wish to set Deployment Protection on
  2. Once selected, navigate to the Settings tab
  3. From the list, select the Deployment Protection tab

You can configure the type of Deployment Protection for each environment in your project depending on your projects security needs. When choosing your protection method, you can select from three options:

To protect only production URLs, you can use Trusted IPs. Note that this option is only available on the Enterprise plan.

Standard Protection is available on all plans

The Standard Protection option is the recommended way to secure all your domains, including both preview and production deployment URLs, to limit public access.

With Standard Protection selected, example.com serves as your publicly-accessible production domain, while all other generated URLs would be protected.

This means that any production deployment with a custom domain assigned (even if it is not the current production deployment) is unprotected. This includes alias URLs where the target of the deployment is production.

Selecting Standard Protection in the Vercel Dashboard.
Selecting Standard Protection in the Vercel Dashboard.

Standard Protection can be configured with the following Deployment Protection features:

Enabling Standard Protection restricts public access to the production generated deployment URL. This affects VERCEL_URL from System Environment Variables and VERCEL_URL from Framework Environment Variables, making them unsuitable for fetch requests.

If you are using VERCEL_URL to make fetch requests, you will need to update your requests to target the same domain the user has requested.

The Framework Environment Variable VERCEL_URL is prefixed with the name of the framework. For example, VERCEL_URL for Next.js is NEXT_PUBLIC_VERCEL_URL, and VERCEL_URL for Nuxt.js is NUXT_ENV_VERCEL_URL. See the Framework Environment Variables documentation for more information.

For client-side requests, use relative paths in the fetch call to target the current domain, automatically including the user's authentication cookie for protected URLs.

// Before
fetch(`${process.env.VERCEL_URL}/some/path`);
 
// After
fetch('/some/path');
// Note: For operations requiring fully qualified URLs, such as generating OG images,
// replace '/some/path' with the actual domain (e.g. 'https://yourdomain.com/some/path').

For server-side requests, use the origin from the incoming request and manually add request cookies to pass the user's authentication cookie.

const headers = { cookie: <incoming request header cookies> };
fetch('<incoming request origin>/some/path', { headers });

Bypassing protection using Protection Bypass for Automation is an option but not required for requests targeting the same domain.

Protecting preview deployments is available on all plans

When Only Preview Deployments is selected, preview URLs are protected, while the production environment remains publicly accessible. This allows for secure testing and review.

For example, Vercel generates a preview URL such as my-preview-5678.vercel.app, which will be protected. In contrast, all production URLs, including example.com and any past or current generated production branch URLs like *-main.vercel.app, remain accessible.

Selecting Only Preview Deployments in the Vercel Dashboard.
Selecting Only Preview Deployments in the Vercel Dashboard.

Protecting only preview deployments can be configured with the following Deployment Protection features:

Protecting production deployments is available on Enterprise plans

When Production Deployments is selected, only your production domain, and all production deployments are secured. This is useful for restricting access to trusted IPs.

For example, if example.com is your production domain, it becomes secure under this setting, while preview URLs remain publicly accessible.

To protect only production deployments, use Trusted IPs.

Selecting All Deployments in the Vercel Dashboard.
Selecting All Deployments in the Vercel Dashboard.

Protecting all deployments is available on Enterprise plans or with the Advanced Deployment Protection add-on for Pro plans

Selecting All Deployments secures all deployments, both preview and production, restricting public access entirely.

With this configuration, all URLs, including your production domain example.com and generated URLs like my-project-1234.vercel.app, are protected.

Selecting All Deployments in the Vercel Dashboard.
Selecting All Deployments in the Vercel Dashboard.

Protecting all deployments can be configured with the following Deployment Protection features:

Advanced Deployment Protection features are available to Enterprise customers by default. Customers on the Pro plan can access these features for an additional $150 per month, including:

To opt-into Advanced Deployment Protection while on a Pro plan:

  1. Navigate to your Project Settings and select the Deployment Protection tab
  2. Then choose one of the above protection features
  3. You will then be prompted to upgrade to the Advanced Deployment Protection add-on through an Enable and Pay button before you can use the feature

When you enable Advanced Deployment Protection, you will be charged $150 per month for the add-on, and will have access to all Advanced Deployment Protection features.

To opt out of Advanced Deployment Protection:

  1. Navigate to your Team Settings, then the Billing page
  2. Press Edit on the feature you want to disable and follow the instructions to disable the add-on

In order to disable Advanced Deployment Protection, you must have been using the feature for a minimum of thirty days. After this time, once cancelled, all Advanced Deployment Protection features will be disabled.

Last updated on September 30, 2024