The hook
Vercel makes every deployment easy to preview. That convenience becomes a risk when a staging build, branch deployment, or generated fallback URL is shared externally, indexed, or archived without Deployment Protection.
Founga 'oku ngaue ai
The check focuses on positive public evidence: the scanned host must be a Vercel-generated `*.vercel.app` domain and it must serve a normal unauthenticated response from that same host. If Vercel Authentication, SSO, password protection, or another protection flow redirects away from the generated host, FixVibe does not report it.
The blast radius
Public generated deployment URLs can expose staging routes, unreleased UI, debug-only integrations, test data, preview callbacks, or weaker environment settings. Even when production is safe on a custom domain, an unprotected preview can become the path attackers and search engines remember.
// what fixvibe checks
What FixVibe checks
FixVibe checks this class with high-confidence, non-destructive signals and only reports actionable evidence. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Enable Vercel Deployment Protection for preview and generated deployment URLs using Vercel Authentication, SSO, or password protection. Keep public traffic on a custom production domain, remove `*.vercel.app` URLs from public links and metadata, block indexing on generated deployments, and keep strong HTTP security headers in Vercel or Next.js config.