Deployment Protection on Vercel

Deployment Protection safeguards both your preview and production URLs across various environments. Configured at the project level through your settings, Deployment Protection provides detailed access control for different deployment types.

Vercel offers the following Deployment Protection features:

• Vercel Authentication: Restricts access to your deployments to only Vercel users with suitable access rights. Vercel Authentication is available on all plans
• Password Protection: Restricts access to your deployments to only users with the correct password. Password Protection is available on the Enterprise plan, or as a paid add-on for Pro plans
• Trusted IPs: Restricts access to your deployments to only users with the correct IP address. Trusted IPs is available on the Enterprise plan

Deployment Protection is managed through your project settings. To configure Deployment Protection:

1. From the dashboard, select the project you wish to set Deployment Protection on
2. Once selected, navigate to the Settings tab
3. From the list, select the Deployment Protection tab

You can configure the type of Deployment Protection for each environment in your project depending on your projects security needs. When choosing your protection method, you can select from three options:

• Standard Protection: Protects both preview and generated production URLs. Standard Protection is available on all plans
• Only Preview Deployments: Protects only preview URLs. Protecting preview deployments is available on all plans
• All Deployments: Protects all URLs. Protecting all deployments is available on Pro and Enterprise plans

To protect only production URLs, you can use Trusted IPs. Note that this option is only available on the Enterprise plan.

The Standard Protection option is the recommended way to secure all your domains, including both preview and generated production URLs, to limit public access.

With Standard Protection selected, example.com serves as your publicly-accessible production domain, while all other generated URLs would be protected.

Standard Protection can be configured with the following Deployment Protection features:

• Vercel Authentication
• Password Protection
• Trusted IPs

Enabling Standard Protection restricts public access to the production generated deployment URL. This affects VERCEL_URL from System Environment Variables and VERCEL_URL from Framework Environment Variables, making them unsuitable for fetch requests.

If you are using VERCEL_URL to make fetch requests, you will need to update your requests to target the same domain the user has requested.

For client-side requests, use relative paths in the fetch call to target the current domain, automatically including the user's authentication cookie for protected URLs.

// Before
fetch(`${process.env.VERCEL_URL}/some/path`);
 
// After
fetch('/some/path');
// Note: For operations requiring fully qualified URLs, such as generating OG images,
// replace '/some/path' with the actual domain (e.g. 'https://yourdomain.com/some/path').

For server-side requests, use the origin from the incoming request and manually add request cookies to pass the user's authentication cookie.

const headers = { cookie: <incoming request header cookies> };
fetch('<incoming request origin>/some/path', { headers });

Bypassing protection using Protection Bypass for Automation is an option but not required for requests targeting the same domain.

When Only Preview Deployments is selected, preview URLs are protected, while the production environment remains publicly accessible. This allows for secure testing and review.

For example, Vercel generates a preview URL such as my-preview-5678.vercel.app, which will be protected. In contrast, all production URLs, including example.com and any past or current generated production branch URLs like *-main.vercel.app, remain accessible.

Protecting only preview deployments can be configured with the following Deployment Protection features:

• Vercel Authentication
• Password Protection
• Trusted IPs

When Production Deployments is selected, only your production domain, and all production deployments are secured. This is useful for restricting access to trusted IPs.

For example, if example.com is your production domain, it becomes secure under this setting, while preview URLs remain publicly accessible.

To protect only production deployments, use Trusted IPs.

Selecting All Deployments secures all deployments, both preview and production, restricting public access entirely.

With this configuration, all URLs, including your production domain example.com and generated URLs like my-project-1234.vercel.app, are protected.

Protecting all deployments can be configured with the following Deployment Protection features:

• Vercel Authentication
• Password Protection
• Trusted IPs

Advanced Deployment Protection features are available to Enterprise customers by default. Customers on the Pro plan can access these features for an additional $150 per month, including:

• Password Protection
• Protection bypass for Automation
• Deployment Protection Exceptions

To opt-into Advanced Deployment Protection while on a Pro plan:

1. Navigate to your Project Settings and select the Deployment Protection tab
2. Then choose one of the above protection features
3. You will then be prompted to upgrade to the Advanced Deployment Protection add-on through an Enable and Pay button before you can use the feature

When you enable Advanced Deployment Protection, you will be charged $150 per month for the add-on, and will have access to all Advanced Deployment Protection features.

To opt out of Advanced Deployment Protection:

1. Navigate to your Team Settings, then the Billing page
2. Press Edit on the feature you want to disable and follow the instructions to disable the add-on

In order to disable Advanced Deployment Protection, you must have been using the feature for a minimum of thirty days. After this time, once cancelled, all Advanced Deployment Protection features will be disabled.