Security settings
Configure security settings for your Vercel project, including Logs and Source Protection, Customer Success Code Visibility, Git Fork Protection, and Secure Backend Access with OIDC Federation.To adjust your project's security settings:
- Select your project from your dashboard
- Select the Settings tab
- Choose the Security menu item
From here you can enable or disable Attack Challenge Mode, Logs and Source Protection, Customer Success Code Visibility and Git Fork Protection.
By default, the following paths mentioned below can only be accessed by you and authenticated members of your Vercel team:
/_src
: Displays the source code and build output./_logs
: Displays the build logs.
Disabling Build Logs and Source Protection will make your source code and
logs publicly accessible. Do not edit this setting if you don't want them
to be publicly accessible.
None of your existing deployments will be affected when you toggle this setting. If you’d like to make the source code or logs private on your existing deployments, the only option is to delete these deployments.
This setting is overwritten when a deployment is created using Vercel CLI with the --public
option or the public
property is used in vercel.json
.
For deployments created before July 9th, 2020 at 7:05 AM (UTC), only the
Project Settings is considered for determining whether the deployment's Logs
and Source are publicly accessible or not. It doesn't matter if the --public
flag was passed when creating those Deployments.
Customer Success Code Visibility is available on Pro and Enterprise plans
Vercel provides a setting that controls the visibility of your source code to our Customer Success team. By default, this setting is disabled, ensuring that your code remains confidential and accessible only to you and your team. The Customer Success team might request for this setting to be enabled to troubleshoot specific issues related to your code.
If you receive a pull request from a fork of your repository that includes a change to the vercel.json
file, the project has Environment Variables or has OIDC Federation enabled, Vercel will require authorization from you or a Team Member to deploy the pull request.
This behavior protects you from leaking sensitive project information.
You can disable this protection in the Security section of your Project Settings.
Do not disable this setting until you review Environment Variables in your
project as well as vercel.json
in your source code.
This feature allows you to secure access to your backend services by using short-lived, non-persistent tokens that are signed by Vercel's OIDC Identity Provider (IdP).
To learn more, see Secure Backend Access with OIDC Federation.
Deployment Retention Policy allows you to set a limit on how long older deployments are kept for your project. To learn more, see Deployment Retention Policy.
This section also provides information on the recently deleted deployments
Was this helpful?