FixVibe

// 探索 / 聚焦

Vercel-Specific Exposure

_next/static, x-vercel-* headers, preview URLs — Vercel-isms that leak more than they should.

概要

Every PaaS leaks shape. The shapes are stable enough across customers that Shodan, Wappalyzer, and FOFA index them — `cf-ray`, `x-vercel-id`, `x-amz-cf-id`, `x-nf-request-id` are reconnaissance starting points, not bug bounty findings. Vercel deployments are particularly identifiable because Next.js's distinctive `/_next/` path structure and `__NEXT_DATA__` script tag are practically a signed signature. Most of the time this is benign — the platform identity isn't a secret. The bugs sneak in when preview URLs leak, when source maps reference internal hostnames, or when feature-flagged unreleased pages ship to production routes.

運作方式

Vercel adds `x-vercel-id` (deployment + region identifier), `x-vercel-cache` (HIT / MISS / STALE), and `server: Vercel` headers to every response. Next.js apps expose `/_next/static/`, `/_next/data/[buildId]/`, and `/__nextjs_original-stack-frame` paths characteristic of the framework. The `__NEXT_DATA__` script in HTML reveals build metadata, locale info, and sometimes server-side props that should have stayed server-side. Preview deployments at `*.vercel.app` get their own URL per branch — convenient for testing, dangerous when one of those URLs gets shared externally and hits search engines or wayback archives.

影響范圍

Recon impact dominates — knowing the host platform helps an attacker choose tactics (which WAF, which CDN behaviors to expect). Direct impact when preview URLs leak: preview deployments often have looser access controls than production (auth disabled, debug flags on, staging API endpoints), so a leaked preview URL bypasses your production hardening. Source map references in production bundles can leak the canonical preview hostname and infrastructure details.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Strip identifying headers if hiding Vercel as the host matters to you — Vercel's `headers` config can override or remove `x-vercel-*` headers. Don't link preview URLs from production code, marketing pages, or shared documents — once shared they get archived. Restrict preview deployments to authenticated team members via Vercel's password protection or SSO integration. Audit your Next.js config for `experimental` flags or debug routes that shouldn't ship to production. Use the same robots.txt rules for preview as for production (or stricter — preview deployments shouldn't be indexed at all). For Vercel-hosted side projects, the platform identification is fine to leave; for enterprise deployments, consider terminating at your own CDN to mask origin.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

探索
142
本類别中触發的测試
模塊
23
專属 探索 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

Vercel-Specific Exposure — 漏洞聚焦 | FixVibe · FixVibe