FixVibe

// discovery / spotlight

Vercel-Specific Exposure

_next/static, x-vercel-* headers, preview URLs — Vercel-isms that leak more than they should.

Il gancio

Every PaaS leaks shape. The shapes are stable enough across customers that Shodan, Wappalyzer, and FOFA index them — `cf-ray`, `x-vercel-id`, `x-amz-cf-id`, `x-nf-request-id` are reconnaissance starting points, not bug bounty findings. Vercel deployments are particularly identifiable because Next.js's distinctive `/_next/` path structure and `__NEXT_DATA__` script tag are practically a signed signature. Most of the time this is benign — the platform identity isn't a secret. The bugs sneak in when preview URLs leak, when source maps reference internal hostnames, or when feature-flagged unreleased pages ship to production routes.

Come funziona

Vercel adds `x-vercel-id` (deployment + region identifier), `x-vercel-cache` (HIT / MISS / STALE), and `server: Vercel` headers to every response. Next.js apps expose `/_next/static/`, `/_next/data/[buildId]/`, and `/__nextjs_original-stack-frame` paths characteristic of the framework. The `__NEXT_DATA__` script in HTML reveals build metadata, locale info, and sometimes server-side props that should have stayed server-side. Preview deployments at `*.vercel.app` get their own URL per branch — convenient for testing, dangerous when one of those URLs gets shared externally and hits search engines or wayback archives.

Il raggio d'azione

Recon impact dominates — knowing the host platform helps an attacker choose tactics (which WAF, which CDN behaviors to expect). Direct impact when preview URLs leak: preview deployments often have looser access controls than production (auth disabled, debug flags on, staging API endpoints), so a leaked preview URL bypasses your production hardening. Source map references in production bundles can leak the canonical preview hostname and infrastructure details.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Strip identifying headers if hiding Vercel as the host matters to you — Vercel's `headers` config can override or remove `x-vercel-*` headers. Don't link preview URLs from production code, marketing pages, or shared documents — once shared they get archived. Restrict preview deployments to authenticated team members via Vercel's password protection or SSO integration. Audit your Next.js config for `experimental` flags or debug routes that shouldn't ship to production. Use the same robots.txt rules for preview as for production (or stricter — preview deployments shouldn't be indexed at all). For Vercel-hosted side projects, the platform identification is fine to leave; for enterprise deployments, consider terminating at your own CDN to mask origin.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Discovery
142
test eseguiti in questa categoria
modules
23
controlli dedicati a discovery
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

Vercel-Specific Exposure — Vulnerabilità in primo piano | FixVibe · FixVibe