Vercel-Specific Exposure

Every PaaS leaks shape. The shapes are stable enough across customers that Shodan, Wappalyzer, and FOFA index them — `cf-ray`, `x-vercel-id`, `x-amz-cf-id`, `x-nf-request-id` are reconnaissance starting points, not bug bounty findings. Vercel deployments are particularly identifiable because Next.js's distinctive `/_next/` path structure and `__NEXT_DATA__` script tag are practically a signed signature. Most of the time this is benign — the platform identity isn't a secret. The bugs sneak in when preview URLs leak, when source maps reference internal hostnames, or when feature-flagged unreleased pages ship to production routes.

Vercel adds `x-vercel-id` (deployment + region identifier), `x-vercel-cache` (HIT / MISS / STALE), and `server: Vercel` headers to every response. Next.js apps expose `/_next/static/`, `/_next/data/[buildId]/`, and `/__nextjs_original-stack-frame` paths characteristic of the framework. The `__NEXT_DATA__` script in HTML reveals build metadata, locale info, and sometimes server-side props that should have stayed server-side. Preview deployments at `*.vercel.app` get their own URL per branch — convenient for testing, dangerous when one of those URLs gets shared externally and hits search engines or wayback archives.

Recon impact dominates — knowing the host platform helps an attacker choose tactics (which WAF, which CDN behaviors to expect). Direct impact when preview URLs leak: preview deployments often have looser access controls than production (auth disabled, debug flags on, staging API endpoints), so a leaked preview URL bypasses your production hardening. Source map references in production bundles can leak the canonical preview hostname and infrastructure details.

Strip identifying headers if hiding Vercel as the host matters to you — Vercel's `headers` config can override or remove `x-vercel-*` headers. Don't link preview URLs from production code, marketing pages, or shared documents — once shared they get archived. Restrict preview deployments to authenticated team members via Vercel's password protection or SSO integration. Audit your Next.js config for `experimental` flags or debug routes that shouldn't ship to production. Use the same robots.txt rules for preview as for production (or stricter — preview deployments shouldn't be indexed at all). For Vercel-hosted side projects, the platform identification is fine to leave; for enterprise deployments, consider terminating at your own CDN to mask origin.