vercel-platform-securitylisted

# Vercel Platform Security Audit Audit the Vercel deployment configuration. Application-level concerns covered in framework skills; this skill is about Vercel-specific surface. ## When this skill applies - Reviewing `vercel.json` configuration - Auditing environment variable scoping across Production / Preview / Development - Reviewing Deployment Protection settings - Checking Vercel Cron and webhook setups - Auditing Edge Config and Edge Network usage ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash ls vercel.json .vercel/ 2>/dev/null # Vercel CLI vercel --version 2>/dev/null ``` ### Phase 2: Inventory ```bash cat vercel.json 2>/dev/null ls -la .env* 2>/dev/null # Cron config grep -nE 'crons:' vercel.json 2>/dev/null ``` ### Phase 3: Detection — the checks #### Environment variables Vercel scopes env vars to Production / Preview / Development. - **VRC-ENV-1** Production secrets NOT replicated to Preview. Preview deployments are accessible to anyone with the URL (unless Deployment Protection is on); preview env having production DB credentials = breach. - **VRC-ENV-2** Preview deployments either use a separate (preview) database OR have access controls that prevent leaking. - **VRC-ENV-3** Sensitive variables marked "Sensitive" in Vercel UI (mask the value from team members without specific perms). - **VRC-ENV-4** Variables prefixed `NEXT_PUBLIC_` / `VITE_` / etc. truly public — see framework-specific skills. - **VRC-ENV-5**