Vercel Expert Review

• Vercel CLI installed and authenticated:
  • npm i -g vercel && vercel login
• Or use VERCEL_TOKEN environment variable for API access.
• Local project should have vercel.json or be linked via vercel link.

Review Workflow

A) Inventory

• Identify project type (Next.js, static site, hybrid, edge functions, middleware, etc.)
• Confirm Vercel project existence and CLI access
• Check associated Git provider integration (GitHub, GitLab, Bitbucket)
• List deployment targets and environments (Production, Preview, Development)
• Framework detection and build settings

B) Security & Deployment Protection

• Deployment Protection:
  • Ensure preview and production environments are protected appropriately
  • Standard protection, Vercel Authentication, or password protection
  • Check if all deployments or only preview are protected
• Firewall / WAF:
  • Verify configuration or recommend Vercel Firewall and IP rules
  • Check for rate limiting rules
• Security Headers:
  • CSP (Content-Security-Policy) present and well-configured?
  • HSTS (Strict-Transport-Security) enabled?
  • X-Frame-Options, X-Content-Type-Options, Referrer-Policy?
  • Headers configured in vercel.json, next.config.js, or middleware?
• Authentication & Access:
  • Preview deployment access controls
  • Function-level authentication patterns

C) Environment Variables Management

• Validate that environment variables are:
  • Scoped correctly per environment (Production, Preview, Development)
  • Sensitive variables marked appropriately (encrypted / secret)
  • No secrets leak into frontend build via NEXT_PUBLIC_ prefix
• Check for hardcoded secrets in:
  • vercel.json (common mistake)
  • Source code committed to repo
  • Build output / client bundles
• Verify .env*.local files are gitignored

D) Configuration & Build

• vercel.json review:
  • Routes and rewrites correctness
  • Function configuration (memory, duration, regions)
  • Headers configuration
  • Redirects (permanent vs temporary)
  • Build command and output directory
• Framework configuration:
  • next.config.js / vite.config.ts / etc.
  • Image optimization settings
  • ISR / SSR / SSG patterns
  • Edge vs Serverless function choices

E) Observability & Monitoring

• Log Drains enabled and configured?
• Speed Insights / Web Vitals tracking?
• Error tracking integration (Sentry, etc.)?
• Deployment notifications configured?
• Monitoring for function errors and cold starts?

F) Performance & Operational Best Practices

• Caching strategy:
  • CDN caching headers correct?
  • ISR revalidation patterns?
  • Edge caching vs origin caching?
• Image optimization:
  • Using Vercel Image Optimization?
  • Proper formats (WebP, AVIF)?
  • Responsive sizes configured?
• Bundle size and code splitting
• Edge functions vs serverless function placement
• DNS configuration and zero-downtime migration readiness
• Monorepo caching strategy (if applicable)
• Spending limits and usage alerts

G) Preview & Staging Isolation

• Preview deployments use unique URLs / suffixes?
• Preview environment has separate backend/database?
• Preview protection enabled to prevent public access?
• Preview comments and collaboration features configured?

Deliverables (mandatory format)

1. Executive Summary (top 5-10 bullets)
2. Risk Register - columns: Severity / Area / Finding / Evidence / Fix / Validation
3. Top 5 Fixes (ranked by impact)
4. Next 7 Days Plan (precise checklist)
5. Appendix (commands run, files inspected)

Severity Levels:

• Critical: Public data exposure, secrets in config, broken auth protection
• High: Missing environment isolation, insecure secrets handling, no deployment protection
• Medium: Missing security headers, lack of observability, suboptimal caching
• Low: Deprecations, hygiene suggestions, minor performance improvements

Commands

• /vercel-review: full workflow (all sections)
• /vercel-security-review: sections B + C only
• /vercel-config-review: section D only
• /vercel-env-review: section C only