Deployment Protection on Vercel

Deployment Protection safeguards both your preview and production URLs across various environments. Configured at the project level through your settings, Deployment Protection provides detailed access control for different deployment types.

Vercel offers the following Deployment Protection features:

• Vercel Authentication: Restricts access to your deployments to only Vercel users with suitable access rights. Vercel Authentication is available on all plans
• Password Protection: Restricts access to your deployments to only users with the correct password. Password Protection is available on the Enterprise plan, or as a paid add-on for Pro plans
• Trusted IPs: Restricts access to your deployments to only users with the correct IP address. Trusted IPs is available on the Enterprise plan

Deployment Protection is managed through your project settings. To configure Deployment Protection:

1. From the dashboard, select the project you wish to set Deployment Protection on
2. Once selected, navigate to the Settings tab
3. From the list, select the Deployment Protection tab

You can configure the type of Deployment Protection for each environment in your project depending on your projects security needs. When choosing your protection method, you can select from three options:

• Standard Protection: This option protects all domains except Production Custom Domains. Standard Protection is available on all plans
• All Deployments: Protects all URLs. Protecting all deployments is available on Pro and Enterprise plans
• (Legacy) Standard Protection: This option protects all preview URLs and deployment URLs. All up to date production URLs are unprotected.
• (Legacy) Only Preview Deployments: This option protects only preview URLs. This does not protect past production deployments.

To protect only production URLs, you can use Trusted IPs. Note that this option is only available on the Enterprise plan.

Standard Protection is the recommended way to secure your deployments, as it protects all domains except Production Custom Domains.

Standard Protection can be configured with the following Deployment Protection features:

• Vercel Authentication
• Password Protection
• Trusted IPs

Enabling Standard Protection restricts public access to the production generated deployment URL. This affects VERCEL_URL and VERCEL_BRANCH_URL from System Environment Variables, making them unsuitable for fetch requests.

If you are using VERCEL_URL or VERCEL_BRANCH_URL to make fetch requests, you will need to update your requests to target the same domain the user has requested.

For client-side requests, use relative paths in the fetch call to target the current domain, automatically including the user's authentication cookie for protected URLs.

// Before
fetch(`${process.env.VERCEL_URL}/some/path`);
 
// After
fetch('/some/path');
// Note: For operations requiring fully qualified URLs, such as generating OG images,
// replace '/some/path' with the actual domain (e.g. 'https://yourdomain.com/some/path').

For server-side requests, use the origin from the incoming request and manually add request cookies to pass the user's authentication cookie.

const headers = { cookie: <incoming request header cookies> };
fetch('<incoming request origin>/some/path', { headers });

Bypassing protection using Protection Bypass for Automation is an option but not required for requests targeting the same domain.

Selecting All Deployments secures all deployments, both preview and production, restricting public access entirely.

With this configuration, all URLs, including your production domain example.com and generated URLs like my-project-1234.vercel.app, are protected.

Protecting all deployments can be configured with the following Deployment Protection features:

• Vercel Authentication
• Password Protection
• Trusted IPs

Restrict access to protected deployments to a list of Trusted IPs.

Preview deployment URLs remain publicly accessible. This feature is only available on the Enterprise plan.

(Legacy) Standard Protection is a legacy feature that protects all preview URLs and deployment URLs. All up to date production URLs are unprotected.

Selecting (Legacy) Only Preview Deployments protects preview URLs, while the production environment remains publicly accessible.

For example, Vercel generates a preview URL such as my-preview-5678.vercel.app, which will be protected. In contrast, all production URLs, including any past or current generated production branch URLs like *-main.vercel.app, remain accessible.

Advanced Deployment Protection features are available to Enterprise customers by default. Customers on the Pro plan can access these features for an additional $150 per month, including:

• Password Protection
• Private Production Deployments
• Deployment Protection Exceptions

To opt-into Advanced Deployment Protection while on a Pro plan:

1. Navigate to your Project Settings and select the Deployment Protection tab
2. Then choose one of the above protection features
3. You will then be prompted to upgrade to the Advanced Deployment Protection add-on through an Enable and Pay button before you can use the feature

When you enable Advanced Deployment Protection, you will be charged $150 per month for the add-on, and will have access to all Advanced Deployment Protection features.

To opt out of Advanced Deployment Protection:

1. Navigate to your Team Settings, then the Billing page
2. Press Edit on the feature you want to disable and follow the instructions to disable the add-on

In order to disable Advanced Deployment Protection, you must have been using the feature for a minimum of thirty days. After this time, once cancelled, all Advanced Deployment Protection features will be disabled.

• Methods to protect deployments
• Methods to bypass deployment protection