ワンクリックでManusで任意のスキルを実行

始める

vercel-harden

スター1

フォーク1

更新日2026年2月15日 23:11

Harden a Vercel deployment with security headers, CSP, bot protection, and deployment configuration

インストール

Codex または Claude でインストールこの Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。

Manusで実行

ソース

edfenton

edfenton/claude-skills

GitHub リポジトリを開く Creator のリポジトリを見る

ダウンロード

Manusで実行

Vercel Deployment Hardening

Purpose

Audit and harden a Next.js project deployed on Vercel. Applies security headers at the edge, configures CSP, blocks malicious bots, and provides a dashboard checklist for manual Vercel settings.

Arguments

--check-only — Audit current security posture without making changes
--plan hobby|pro — Target Vercel plan (default: pro). Controls which features are available (WAF rules, bot protection, etc.)

Workflow

1. Audit current posture

Scan the project for existing security configuration:

- next.config.ts: poweredByHeader, headers() (static headers only — NOT CSP)
- proxy.ts: CSP header, bot blocking, honeypot paths
- vercel.json: edge-level headers
- robots.ts: bot disallow rules

Report findings as a checklist with pass/fail for each item.

2. Apply code-level hardening

If not --check-only, apply these changes:

Static headers (next.config.ts)

Set poweredByHeader: false
Add headers() function applying non-CSP security headers to /:path*
Required headers: see reference/vercel-harden-reference.md
CSP must NOT go here — static headers cannot handle Next.js inline scripts

CSP configuration (proxy.ts)

WARNING: Nonce-based CSP and 'strict-dynamic' are incompatible with Next.js. Next.js generates inline <script> tags for hydration, routing, and RSC payloads that cannot receive nonces. Using nonces or 'strict-dynamic' will break the app (white page, broken navigation, non-functional interactive elements).

CSP must be applied in proxy.ts (not next.config.ts headers()) so it runs per-request
Use script-src 'self' 'unsafe-inline' — this is the only approach compatible with Next.js
Build remaining directives from project's actual dependencies (check for analytics, embeds, fonts, etc.)
Add Vercel Analytics sources if @vercel/analytics or @vercel/speed-insights are installed
Non-executable script types like application/ld+json must NOT receive nonces
See reference doc for base directives and third-party allowlists

Bot protection (proxy.ts)

Add blocked user agent check and honeypot path check in proxy.ts
Update robots.ts to block AI scrapers and SEO bots
See reference doc for recommended patterns

3. Verify headers

After changes, verify with:

curl -I https://<deployment-url>

Check for presence of all security headers and absence of X-Powered-By.

Also run:

pnpm test
pnpm build
pnpm test:e2e

After deployment, open the browser console and check for CSP violation errors. If any appear, update the CSP directives to allow the blocked resource.

4. Output Vercel dashboard checklist

Print actionable checklist for manual Vercel dashboard configuration. Include only items relevant to the --plan argument.

TDD requirement

All code changes must follow red-green-refactor:

Write failing tests for new headers/bot protection
Implement to make tests pass
Refactor

Reference

See reference/vercel-harden-reference.md for:

Full header reference with recommended values
CSP directive guide and third-party allowlists
WAF rule templates
Bot protection patterns
Vercel plan feature matrix

このリポジトリの他の Skills

同じリポジトリ

mern-scaffold

edfenton/claude-skills

Scaffold a pnpm + Turborepo MERN monorepo with Next.js, tooling, tests, CI, and optional GitHub repo creation.

2026-02-211

github-secure

edfenton/claude-skills

Configure GitHub repository security with branch protection, Dependabot, security scanning, and CI workflows. Integrates with mern-scaffold, nean-scaffold, and iOS projects.

2026-02-211

ios-add-auth

edfenton/claude-skills

Add authentication to an iOS app with Sign in with Apple, biometrics, and Keychain storage.

2026-02-131

ios-add-feature

edfenton/claude-skills

Scaffold a new feature with View, ViewModel, and tests following ios-std conventions.

2026-02-131

ios-code-review

edfenton/claude-skills

Review iOS code for compliance with standards, NFRs, and security policy.

2026-02-131

ios-deps

edfenton/claude-skills

Manage Swift Package Manager dependencies with security checks and update verification.

2026-02-131

name	vercel-harden
description	Harden a Vercel deployment with security headers, CSP, bot protection, and deployment configuration
arguments	[--check-only] [--plan hobby\|pro]

Vercel Deployment Hardening

Purpose

Audit and harden a Next.js project deployed on Vercel. Applies security headers at the edge, configures CSP, blocks malicious bots, and provides a dashboard checklist for manual Vercel settings.

Arguments

--check-only — Audit current security posture without making changes
--plan hobby|pro — Target Vercel plan (default: pro). Controls which features are available (WAF rules, bot protection, etc.)

Workflow

1. Audit current posture

Scan the project for existing security configuration:

- next.config.ts: poweredByHeader, headers() (static headers only — NOT CSP)
- proxy.ts: CSP header, bot blocking, honeypot paths
- vercel.json: edge-level headers
- robots.ts: bot disallow rules

Report findings as a checklist with pass/fail for each item.

2. Apply code-level hardening

If not --check-only, apply these changes:

Static headers (next.config.ts)

Set poweredByHeader: false
Add headers() function applying non-CSP security headers to /:path*
Required headers: see reference/vercel-harden-reference.md
CSP must NOT go here — static headers cannot handle Next.js inline scripts

CSP configuration (proxy.ts)

WARNING: Nonce-based CSP and 'strict-dynamic' are incompatible with Next.js. Next.js generates inline <script> tags for hydration, routing, and RSC payloads that cannot receive nonces. Using nonces or 'strict-dynamic' will break the app (white page, broken navigation, non-functional interactive elements).

CSP must be applied in proxy.ts (not next.config.ts headers()) so it runs per-request
Use script-src 'self' 'unsafe-inline' — this is the only approach compatible with Next.js
Build remaining directives from project's actual dependencies (check for analytics, embeds, fonts, etc.)
Add Vercel Analytics sources if @vercel/analytics or @vercel/speed-insights are installed
Non-executable script types like application/ld+json must NOT receive nonces
See reference doc for base directives and third-party allowlists

Bot protection (proxy.ts)

Add blocked user agent check and honeypot path check in proxy.ts
Update robots.ts to block AI scrapers and SEO bots
See reference doc for recommended patterns

3. Verify headers

After changes, verify with:

curl -I https://<deployment-url>

Check for presence of all security headers and absence of X-Powered-By.

Also run:

pnpm test
pnpm build
pnpm test:e2e

After deployment, open the browser console and check for CSP violation errors. If any appear, update the CSP directives to allow the blocked resource.

4. Output Vercel dashboard checklist

Print actionable checklist for manual Vercel dashboard configuration. Include only items relevant to the --plan argument.

TDD requirement

All code changes must follow red-green-refactor:

Write failing tests for new headers/bot protection
Implement to make tests pass
Refactor

Reference

See reference/vercel-harden-reference.md for:

Full header reference with recommended values
CSP directive guide and third-party allowlists
WAF rule templates
Bot protection patterns
Vercel plan feature matrix