14. Security — WAF, DDoS, Access Control
14.1 Managed WAF (Web Application Firewall)
Enterprise feature. Protects against:
- OWASP Top 10 attacks (SQL injection, XSS, CSRF)
- Bot attacks
- DDoS at the network level
- Up to 1,000 custom firewall rules (Enterprise)
- Up to 1,000 IP blocking rules
14.2 DDoS mitigation
Vercel's edge network absorbs volumetric DDoS attacks automatically. Because static assets and edge-cached responses serve without touching Vercel Functions, the attack surface is dramatically reduced.
14.3 Deployment protection
- Password protection: Preview deployments behind a shared password
- Vercel Authentication: Preview deployments visible only to team members
- Trusted IPs: Restrict access to known IPs (Enterprise)
14.4 Environment variables
# .env.local (local development only — never committed)
DATABASE_URL=postgres://...
STRIPE_SECRET_KEY=sk_test_...
# Vercel dashboard: set per-environment (Production / Preview / Development)
# NEXT_PUBLIC_ prefix = exposed to browser (build-time)
# No prefix = server-only (runtime)
14.5 Compliance
Vercel Enterprise supports:
- SOC 2 Type II
- GDPR / EU data residency (deploy functions in EU regions)
- HIPAA (with Business Associate Agreement)
- PCI DSS considerations
- SAML SSO + SCIM/Directory Sync