A pegada
Vercel makes every deployment easy to preview. That convenience becomes a risk when a staging build, branch deployment, or generated fallback URL is shared externally, indexed, or archived without Deployment Protection.
Como funciona
The check focuses on positive public evidence: the scanned host must be a Vercel-generated `*.vercel.app` domain and it must serve a normal unauthenticated response from that same host. If Vercel Authentication, SSO, password protection, or another protection flow redirects away from the generated host, FixVibe does not report it.
O raio de impacto
Public generated deployment URLs can expose staging routes, unreleased UI, debug-only integrations, test data, preview callbacks, or weaker environment settings. Even when production is safe on a custom domain, an unprotected preview can become the path attackers and search engines remember.
// what fixvibe checks
What FixVibe checks
FixVibe checks this class with high-confidence, non-destructive signals and only reports actionable evidence. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Defesas blindadas
Enable Vercel Deployment Protection for preview and generated deployment URLs using Vercel Authentication, SSO, or password protection. Keep public traffic on a custom production domain, remove `*.vercel.app` URLs from public links and metadata, block indexing on generated deployments, and keep strong HTTP security headers in Vercel or Next.js config.