Drains Security

All Drains support transport-level encryption using HTTPS protocol.

When your server starts receiving payloads, a third party could send data to your server if it knows the URL. Therefore, you should verify the request is coming from Vercel.

Secure Drains

Vercel sends an x-vercel-signature header with each drain, which is a hash of the payload body created using your Drain signature secret. You can find or update this secret by clicking Edit in the Drains list.

To verify the request is coming from Vercel, you can generate the hash and compare it with the header value as shown below:

server.ts
import crypto from 'crypto';
 
export async function POST(request: Request) {
  // Store the signature secret in environment variables
  const signatureSecret = '<Drain signature secret>';
 
  const rawBody = await request.text();
  const rawBodyBuffer = Buffer.from(rawBody, 'utf-8');
  const bodySignature = sha1(rawBodyBuffer, signatureSecret);
 
  if (bodySignature !== request.headers.get('x-vercel-signature')) {
    return Response.json(
      {
        code: 'invalid_signature',
        error: "signature didn't match",
      },
      { status: 403 },
    );
  }
 
  console.log(rawBody);
 
  return Response.json({ success: true });
}
 
async function sha1(data: Buffer, secret: string): string {
  return crypto.createHmac('sha1', secret).update(data).digest('hex');
}

For additional authentication or identification purposes, you can also add custom headers when configuring the Drain destination

IP Address Visibility

Managing IP address visibility is available on Enterprise and Pro plans.

Those with the owner, admin role can access this feature

Drains can include public IP addresses in the data, which may be considered personal information under certain data protection laws. To hide IP addresses in your drains:

  1. Go to the Vercel dashboard and ensure your team is selected in the scope selector
  2. Go to the Settings tab and navigate to Security & Privacy
  3. Under IP Address Visibility, toggle the switch off so the text reads IP addresses are hidden in your Drains

This setting is applied team-wide across all projects and drains.

More resources

For more information on Drains security and how to use them, check out the following resources:

Previous
Using Drains
Next
Web Analytics

Was this helpful?

supported.