Conceptual

Methods to bypass Deployment Protection

Learn how to bypass Deployment Protection for specific domains, or for all deployments in a project.
Table of Contents

To test, share, or exclude specific domains from Deployment Protection, you can use the following methods to allow specific access while maintaining overall security:

  • Shareable Links: Shareable links enable external users to access specific branch deployments by appending a secure query parameter to the URL
  • Protection Bypass for Automation: Use a secret to bypass protection features for all deployments in a project, such as for end-to-end (E2E) testing
  • Deployment Protection Exceptions: Specify preview domains that should be exempt from deployment protection
  • OPTIONS Allowlist: Specify paths to be unprotected for CORS preflight OPTIONS requests

Shareable Links are available on all plans

Sharable Links allow external access to specific branch deployments through a secure query parameter. Users with this link can see the latest deployment and leave comments (if enabled and logged in with their Vercel account).

For example, if you generate a Sharable Link for the feature-new-ui branch. Users with this link can view the latest deployment and comment.

Learn more about Sharable Links, and how to generate and revoke them.

Protection Bypass for Automation is available on all plans

For automated tasks like end-to-end (E2E) testing, you can use Protection bypass for Automation. When enabled, it generates a secret that can be used as a System Environment Variable (VERCEL_AUTOMATION_BYPASS_SECRET) to bypass protection features for all deployments in a project.

For example, you set up E2E tests that run on deployments. By using this feature and the generated secret, your tests can bypass the protection mechanisms.

Learn more about Protection bypass for Automation, and how to enable and disable it.

Deployment Protection Exceptions are available on Enterprise plans or with the Advanced Deployment Protection add-on for Pro plans

With Deployment Protection Exceptions you can specify preview domains that should be exempt from deployment protection. Adding a domain to Deployment Protection Exceptions makes it publicly accessible, bypassing features like Vercel Authentication, Password Protection, and Trusted IPs.

For example, if you add preview-branch-name.vercel.app to Deployment Protection Exceptions, this domain becomes publicly accessible, bypassing the project's deployment protection settings. When removed, it reverts to the default protection settings.

Learn more about Deployment Protection Exceptions, and how to add and remove domains.

OPTIONS Allowlist is available on all plans

With OPTIONS Allowlist you can specify paths to be unprotected for preflight OPTIONS requests. This can be used to enable CORS preflight requests to your project's protected deployments, as browsers do not send authentication on preflight requests.

Incoming request paths will be compared with the paths in the allowlist, if a request path starts with one of the specified paths, and has the method OPTIONS, it will bypass Deployment Protection.

For example, if you specify /api, all requests to paths that start with /api (such as /api/v1/users and /api/v2/projects) will be unprotected for any OPTIONS request.

Learn more about OPTIONS Allowlist.

Last updated on August 7, 2024