Kaitnya
Every PaaS leaks shape. The shapes are stable enough across customers that Shodan, Wappalyzer, and FOFA index them โ `cf-ray`, `x-vercel-id`, `x-amz-cf-id`, `x-nf-request-id` are reconnaissance starting points, not bug bounty findings. Vercel deployments are particularly identifiable because Next.js's distinctive `/_next/` path structure and `__NEXT_DATA__` script tag are practically a signed signature. Most of the time this is benign โ the platform identity isn't a secret. The bugs sneak in when preview URLs leak, when source maps reference internal hostnames, or when feature-flagged unreleased pages ship to production routes.
Cara kerjanya
Vercel adds `x-vercel-id` (deployment + region identifier), `x-vercel-cache` (HIT / MISS / STALE), and `server: Vercel` headers to every response. Next.js apps expose `/_next/static/`, `/_next/data/[buildId]/`, and `/__nextjs_original-stack-frame` paths characteristic of the framework. The `__NEXT_DATA__` script in HTML reveals build metadata, locale info, and sometimes server-side props that should have stayed server-side. Preview deployments at `*.vercel.app` get their own URL per branch โ convenient for testing, dangerous when one of those URLs gets shared externally and hits search engines or wayback archives.
Radius dampak
Recon impact dominates โ knowing the host platform helps an attacker choose tactics (which WAF, which CDN behaviors to expect). Direct impact when preview URLs leak: preview deployments often have looser access controls than production (auth disabled, debug flags on, staging API endpoints), so a leaked preview URL bypasses your production hardening. Source map references in production bundles can leak the canonical preview hostname and infrastructure details.
// apa yang fixvibe periksa
Apa yang FixVibe periksa
FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Pertahanan kokoh
Strip identifying headers if hiding Vercel as the host matters to you โ Vercel's `headers` config can override or remove `x-vercel-*` headers. Don't link preview URLs from production code, marketing pages, or shared documents โ once shared they get archived. Restrict preview deployments to authenticated team members via Vercel's password protection or SSO integration. Audit your Next.js config for `experimental` flags or debug routes that shouldn't ship to production. Use the same robots.txt rules for preview as for production (or stricter โ preview deployments shouldn't be indexed at all). For Vercel-hosted side projects, the platform identification is fine to leave; for enterprise deployments, consider terminating at your own CDN to mask origin.
