FixVibe

// discovery / spotlight

Vercel-Specific Exposure

_next/static, x-vercel-* headers, preview URLs โ€” Vercel-isms that leak more than they should.

Kaitnya

Every PaaS leaks shape. The shapes are stable enough across customers that Shodan, Wappalyzer, and FOFA index them โ€” `cf-ray`, `x-vercel-id`, `x-amz-cf-id`, `x-nf-request-id` are reconnaissance starting points, not bug bounty findings. Vercel deployments are particularly identifiable because Next.js's distinctive `/_next/` path structure and `__NEXT_DATA__` script tag are practically a signed signature. Most of the time this is benign โ€” the platform identity isn't a secret. The bugs sneak in when preview URLs leak, when source maps reference internal hostnames, or when feature-flagged unreleased pages ship to production routes.

Cara kerjanya

Vercel adds `x-vercel-id` (deployment + region identifier), `x-vercel-cache` (HIT / MISS / STALE), and `server: Vercel` headers to every response. Next.js apps expose `/_next/static/`, `/_next/data/[buildId]/`, and `/__nextjs_original-stack-frame` paths characteristic of the framework. The `__NEXT_DATA__` script in HTML reveals build metadata, locale info, and sometimes server-side props that should have stayed server-side. Preview deployments at `*.vercel.app` get their own URL per branch โ€” convenient for testing, dangerous when one of those URLs gets shared externally and hits search engines or wayback archives.

Radius dampak

Recon impact dominates โ€” knowing the host platform helps an attacker choose tactics (which WAF, which CDN behaviors to expect). Direct impact when preview URLs leak: preview deployments often have looser access controls than production (auth disabled, debug flags on, staging API endpoints), so a leaked preview URL bypasses your production hardening. Source map references in production bundles can leak the canonical preview hostname and infrastructure details.

// apa yang fixvibe periksa

Apa yang FixVibe periksa

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Pertahanan kokoh

Strip identifying headers if hiding Vercel as the host matters to you โ€” Vercel's `headers` config can override or remove `x-vercel-*` headers. Don't link preview URLs from production code, marketing pages, or shared documents โ€” once shared they get archived. Restrict preview deployments to authenticated team members via Vercel's password protection or SSO integration. Audit your Next.js config for `experimental` flags or debug routes that shouldn't ship to production. Use the same robots.txt rules for preview as for production (or stricter โ€” preview deployments shouldn't be indexed at all). For Vercel-hosted side projects, the platform identification is fine to leave; for enterprise deployments, consider terminating at your own CDN to mask origin.

// run it on your own app

Terus rilis sementara FixVibe yang berjaga.

FixVibe menguji permukaan publik app kamu sebagaimana seorang penyerang akan melakukannya โ€” tanpa agent, tanpa instalasi, tanpa kartu. Kami terus meneliti pola kerentanan baru dan mengubahnya jadi check praktis serta perbaikan siap-tempel untuk Cursor, Claude, dan Copilot.

Discovery
142
tes yang dijalankan di kategori ini
modules
23
check discovery khusus
setiap pemindaian
487+
tes di seluruh kategori
  • Gratis โ€” tanpa kartu kredit, tanpa instalasi, tanpa ping Slack
  • Cukup tempel URL โ€” kami crawl, probe, dan laporkan
  • Temuan berperingkat severity, di-dedupe jadi sinyal saja
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Jalankan scan gratis โ†’

// latest checks ยท practical fixes ยท ship with confidence

Vercel-Specific Exposure โ€” Sorotan Kerentanan | FixVibe ยท FixVibe