Vercel Hardening Guide
Deployment platform security for access tokens, environment variables, and Git integration
Overview
Vercel is a frontend cloud platform for deployment and hosting. REST API, deployment tokens, and Git integrations access source code and environment variables. Compromised access exposes deployment secrets, environment configuration, and enables malicious deployments.
Intended Audience
- Security engineers managing deployment platforms
- DevOps administrators
- GRC professionals assessing deployment security
- Third-party risk managers evaluating hosting integrations
Table of Contents
1. Authentication & Access Controls
1.1 Enforce SSO with MFA
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Configure SAML SSO (Enterprise)
- Navigate to: Team Settings → Security → SAML Single Sign-On
- Configure SAML IdP
- Enable: Enforce SAML
Step 2: Enable 2FA
- Navigate to: Account Settings → Security
- Enable: Two-Factor Authentication
1.2 Team Access Controls
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define Roles
| Role | Permissions |
|---|---|
| Owner | Full team access |
| Member | Deploy and manage |
| Developer | Deploy only |
| Viewer | View only (Enterprise) |
Step 2: Project Access
- Navigate to: Project Settings → Members
- Configure project-specific access
- Limit production deployment
2. Deployment Security
2.1 Secure Deployments
Profile Level: L1 (Baseline) NIST 800-53: CM-3
Description
Control deployment access and protect production.
Rationale
Attack Scenario: Compromised Git integration enables malicious deployments; production environment variables exposed through preview deployments.
ClickOps Implementation
Step 1: Production Protection
- Navigate to: Project Settings → Git
- Configure production branch protection
- Require team member approval
Step 2: Preview Deployment Security
- Configure: Deployment Protection
- Limit preview access
- Password protect previews
2.2 Git Integration Security
Profile Level: L1 (Baseline) NIST 800-53: CM-7
ClickOps Implementation
Step 1: Review Integrations
- Navigate to: Team Settings → Integrations
- Review connected repositories
- Limit repository access
3. Secrets Management
3.1 Environment Variables
Profile Level: L1 (Baseline) NIST 800-53: SC-28
ClickOps Implementation
Step 1: Configure Environment Variables
- Navigate to: Project Settings → Environment Variables
- Mark sensitive values as “Sensitive”
- Scope to specific environments
Step 2: Secrets Best Practices
- Never commit secrets to Git
- Use Vercel’s encrypted secrets
- Rotate secrets periodically
3.2 Access Token Security
Profile Level: L1 (Baseline) NIST 800-53: IA-5
ClickOps Implementation
Step 1: Audit Access Tokens
- Navigate to: Account Settings → Tokens
- Review all tokens
- Remove unused tokens
Step 2: Token Best Practices
- Create tokens with specific scopes
- Set expiration dates
- Use for CI/CD only
4. Monitoring & Detection
4.1 Audit Log (Enterprise)
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
ClickOps Implementation
Step 1: Access Audit Log
- Navigate to: Team Settings → Audit Log
- Review deployment activities
- Monitor configuration changes
Detection Focus
-- Detect unauthorized deployments
SELECT user_email, project, environment, timestamp
FROM vercel_audit_log
WHERE action = 'deployment.created'
AND environment = 'production'
AND timestamp > NOW() - INTERVAL '24 hours';
-- Detect environment variable changes
SELECT user_email, project, variable_name
FROM vercel_audit_log
WHERE action LIKE '%environment_variable%'
AND timestamp > NOW() - INTERVAL '7 days';
Appendix A: Edition Compatibility
| Control | Hobby | Pro | Enterprise |
|---|---|---|---|
| SAML SSO | ❌ | ❌ | ✅ |
| SCIM | ❌ | ❌ | ✅ |
| Audit Log | ❌ | ❌ | ✅ |
| Deployment Protection | ❌ | ✅ | ✅ |
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial Vercel hardening guide | Claude Code (Opus 4.5) |