Security
Vercel Blob is available on all plans
Those with the owner, member, developer role can access this feature
Vercel Blob URLs, although publicly accessible, are unique and hard to guess when you use the addRandomSuffix: true option. They consist of a unique store id, a pathname, and a unique random blob id generated when the blob is created.
This is similar to Share a file publicly in Google Docs. You should ensure that the URLs are only shared to authorized users
Headers that enhance security by preventing unauthorized downloads, blocking external content from being embedded, and protecting against malicious file type manipulation, are enforced on each blob. They are:
content-security-policy:default-src "none"x-frame-options:DENYx-content-type-options:nosniffcontent-disposition:attachment/inline; filename="filename.extension"
All files stored on Vercel Blob are secured using AES-256 encryption. This encryption process is applied at rest and is transparent, ensuring that files are encrypted before being saved to the disk and decrypted upon retrieval.
Vercel Blob is protected by Vercel's platform-wide firewall which provides DDoS mitigation and blocks abnormal or suspicious levels of incoming requests.
Vercel Blob does not currently support Vercel WAF. If you need WAF rules on your blob URLs, consider using a Vercel function to proxy the blob URL. This approach may introduce some latency to your requests but will enable the use of WAF rules on the blob URLs.
Was this helpful?