vercel.json Configuration Standards

Intermediate

Enforce proper vercel.json configuration — security headers, rewrites, redirects, function settings, and caching rules for Vercel deployments.

File Patterns

**/vercel.json

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# vercel.json Configuration Standards

## Rule
All Vercel projects MUST include a vercel.json with security headers, proper function configuration, and consistent redirect/rewrite patterns.

## Format
```json
{
  "$schema": "https://openapi.vercel.sh/vercel.json",
  "framework": "nextjs",
  "regions": ["iad1"],
  "headers": [...],
  "redirects": [...],
  "rewrites": [...]
}
```

## Required Security Headers
```json
{
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "X-Frame-Options", "value": "DENY" },
        { "key": "X-XSS-Protection", "value": "1; mode=block" },
        { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
        { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
      ]
    }
  ]
}
```

## Redirect Rules
```json
{
  "redirects": [
    { "source": "/old-page", "destination": "/new-page", "permanent": true },
    { "source": "/blog/:slug", "destination": "/posts/:slug", "permanent": true }
  ]
}
```
- Use `permanent: true` (301) for SEO-preserving redirects
- Use `permanent: false` (302) for temporary redirects
- Always prefer redirects over rewrites for moved content

## Function Configuration
```json
{
  "functions": {
    "app/api/heavy-computation/route.ts": {
      "maxDuration": 30,
      "memory": 1024
    }
  }
}
```

## Examples

### Good
```json
{
  "$schema": "https://openapi.vercel.sh/vercel.json",
  "regions": ["iad1"],
  "headers": [
    {
      "source": "/(.*)",
      "headers": [
        { "key": "X-Content-Type-Options", "value": "nosniff" },
        { "key": "X-Frame-Options", "value": "DENY" }
      ]
    }
  ],
  "redirects": [
    { "source": "/docs", "destination": "/documentation", "permanent": true }
  ]
}
```

### Bad
```json
{
  "builds": [{ "src": "*.js", "use": "@vercel/node" }],
  "routes": [{ "src": "/api/(.*)", "dest": "/api/$1" }]
}
```
Using deprecated `builds` and `routes` fields instead of modern configuration.

## Enforcement
Use the JSON schema for validation in your editor.
Review vercel.json in CI with a custom linting step.

FAQ

Discussion

Loading comments...

# vercel.json Configuration Standards ## Rule All Vercel projects MUST include a vercel.json with security headers, proper function configuration, and consistent redirect/rewrite patterns. ## Format ```json { "$schema": "https://openapi.vercel.sh/vercel.json", "framework": "nextjs", "regions": ["iad1"], "headers": [...], "redirects": [...], "rewrites": [...] } ``` ## Required Security Headers ```json { "headers": [ { "source": "/(.*)", "headers": [ { "key": "X-Content-Type-Options", "value": "nosniff" }, { "key": "X-Frame-Options", "value": "DENY" }, { "key": "X-XSS-Protection", "value": "1; mode=block" }, { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }, { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" } ] } ] } ``` ## Redirect Rules ```json { "redirects": [ { "source": "/old-page", "destination": "/new-page", "permanent": true }, { "source": "/blog/:slug", "destination": "/posts/:slug", "permanent": true } ] } ``` - Use `permanent: true` (301) for SEO-preserving redirects - Use `permanent: false` (302) for temporary redirects - Always prefer redirects over rewrites for moved content ## Function Configuration ```json { "functions": { "app/api/heavy-computation/route.ts": { "maxDuration": 30, "memory": 1024 } } } ``` ## Examples ### Good ```json { "$schema": "https://openapi.vercel.sh/vercel.json", "regions": ["iad1"], "headers": [ { "source": "/(.*)", "headers": [ { "key": "X-Content-Type-Options", "value": "nosniff" }, { "key": "X-Frame-Options", "value": "DENY" } ] } ], "redirects": [ { "source": "/docs", "destination": "/documentation", "permanent": true } ] } ``` ### Bad ```json { "builds": [{ "src": "*.js", "use": "@vercel/node" }], "routes": [{ "src": "/api/(.*)", "dest": "/api/$1" }] } ``` Using deprecated `builds` and `routes` fields instead of modern configuration. ## Enforcement Use the JSON schema for validation in your editor. Review vercel.json in CI with a custom linting step.