Drains Security
All Drains support transport-level encryption using HTTPS protocol.
When your server starts receiving payloads, a third party could send data to your server if it knows the URL. Therefore, you should verify the request is coming from Vercel.
Vercel sends an x-vercel-signature
header with each drain, which is a hash of the payload body created using your Drain signature secret. You can find or update this secret by clicking Edit in the Drains list.
To verify the request is coming from Vercel, you can generate the hash and compare it with the header value as shown below:
import crypto from 'crypto';
export async function POST(request: Request) {
// Store the signature secret in environment variables
const signatureSecret = '<Drain signature secret>';
const rawBody = await request.text();
const rawBodyBuffer = Buffer.from(rawBody, 'utf-8');
const bodySignature = sha1(rawBodyBuffer, signatureSecret);
if (bodySignature !== request.headers.get('x-vercel-signature')) {
return Response.json(
{
code: 'invalid_signature',
error: "signature didn't match",
},
{ status: 403 },
);
}
console.log(rawBody);
return Response.json({ success: true });
}
async function sha1(data: Buffer, secret: string): string {
return crypto.createHmac('sha1', secret).update(data).digest('hex');
}
For additional authentication or identification purposes, you can also add custom headers when configuring the Drain destination
Managing IP address visibility is available on Enterprise and Pro plans
Those with the owner, admin role can access this feature
Drains can include public IP addresses in the data, which may be considered personal information under certain data protection laws. To hide IP addresses in your drains:
- Go to the Vercel dashboard and ensure your team is selected in the scope selector
- Go to the Settings tab and navigate to Security & Privacy
- Under IP Address Visibility, toggle the switch off so the text reads IP addresses are hidden in your Drains
This setting is applied team-wide across all projects and drains.
For more information on Drains security and how to use them, check out the following resources:
Was this helpful?