Security
Vercel Blob is available on all plans
Those with the owner, member, developer role can access this feature
For files that require authentication, use private storage. Private Blob stores require the BLOB_READ_WRITE_TOKEN for all read and write operations. Files in private Blob stores cannot be accessed via public URLs. You deliver them to your users through Vercel Functions where you implement your own authentication logic.
Vercel Blob URLs, although publicly accessible, are unique and hard to guess when you use the addRandomSuffix: true option. They consist of a unique store id, a pathname, and a unique random blob id generated when the blob is created.
This is similar to Share a file publicly in Google Docs. You should ensure that the URLs are only shared to authorized users
Headers that enhance security by preventing unauthorized downloads, blocking external content from being embedded, and protecting against malicious file type manipulation, are enforced on each blob. They are:
content-security-policy:default-src "none"x-frame-options:DENYx-content-type-options:nosniffcontent-disposition:attachment/inline; filename="filename.extension"
All files stored on Vercel Blob are secured using AES-256 encryption. This encryption process is applied at rest and is transparent, ensuring that files are encrypted before being saved to the disk and decrypted upon retrieval.
Vercel Blob is protected by Vercel's platform-wide firewall which provides DDoS mitigation and blocks abnormal or suspicious levels of incoming requests.
Vercel Blob does not currently support Vercel WAF. If you need WAF rules on your blob URLs, consider using a Vercel function to proxy the blob URL. This approach may introduce some latency to your requests but will enable the use of WAF rules on the blob URLs.
Was this helpful?