Menu
Harden a Vercel deployment with security headers, CSP, bot protection, and deployment configuration
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | vercel-harden |
| description | Harden a Vercel deployment with security headers, CSP, bot protection, and deployment configuration |
| arguments | [--check-only] [--plan hobby|pro] |
Audit and harden a Next.js project deployed on Vercel. Applies security headers at the edge, configures CSP, blocks malicious bots, and provides a dashboard checklist for manual Vercel settings.
--check-only — Audit current security posture without making changes--plan hobby|pro — Target Vercel plan (default: pro). Controls which features are available (WAF rules, bot protection, etc.)Scan the project for existing security configuration:
- next.config.ts: poweredByHeader, headers() (static headers only — NOT CSP)
- proxy.ts: CSP header, bot blocking, honeypot paths
- vercel.json: edge-level headers
- robots.ts: bot disallow rules
Report findings as a checklist with pass/fail for each item.
If not --check-only, apply these changes:
poweredByHeader: falseheaders() function applying non-CSP security headers to /:path*reference/vercel-harden-reference.mdWARNING: Nonce-based CSP and
'strict-dynamic'are incompatible with Next.js. Next.js generates inline<script>tags for hydration, routing, and RSC payloads that cannot receive nonces. Using nonces or'strict-dynamic'will break the app (white page, broken navigation, non-functional interactive elements).
proxy.ts (not next.config.ts headers()) so it runs per-requestscript-src 'self' 'unsafe-inline' — this is the only approach compatible with Next.js@vercel/analytics or @vercel/speed-insights are installedapplication/ld+json must NOT receive noncesproxy.tsrobots.ts to block AI scrapers and SEO botsAfter changes, verify with:
curl -I https://<deployment-url>
Check for presence of all security headers and absence of X-Powered-By.
Also run:
pnpm test
pnpm build
pnpm test:e2e
After deployment, open the browser console and check for CSP violation errors. If any appear, update the CSP directives to allow the blocked resource.
Print actionable checklist for manual Vercel dashboard configuration. Include only items relevant to the --plan argument.
All code changes must follow red-green-refactor:
See reference/vercel-harden-reference.md for:
Scaffold a pnpm + Turborepo MERN monorepo with Next.js, tooling, tests, CI, and optional GitHub repo creation.
Configure GitHub repository security with branch protection, Dependabot, security scanning, and CI workflows. Integrates with mern-scaffold, nean-scaffold, and iOS projects.
Add authentication to an iOS app with Sign in with Apple, biometrics, and Keychain storage.
Scaffold a new feature with View, ViewModel, and tests following ios-std conventions.
Review iOS code for compliance with standards, NFRs, and security policy.
Manage Swift Package Manager dependencies with security checks and update verification.