How to Avoid Bankruptcy Using Vercel: Tips to Prevent DDoS and Control Costs

After working with Next.js projects, it is clear that deploying on Vercel saves hours and hours of manual work and maintenance. However, just a few days after deployment, I started receiving messages about exceeding image resizing quotas. I began looking into how other developers handle billing and stumbled upon multiple posts sharing scary stories about Vercel, such as this one about a bug in Astro deployment that caused a $3000 bill in 6 hours. Or this user who became a victim of a DDoS attack and had to pay $600.

Protecting Against DDoS on Vercel

The most significant security incident risk on Vercel is DDoS (Distributed Denial of Service). This means an attacker sends a massive number of requests from multiple machines to the server hosting the web application. The goal of a DDoS attack is to disrupt the availability of a web application by overwhelming the service with requests. For apps hosted on Vercel, this has the additional side effect of rapidly increasing bandwidth usage, potentially leaving the targeted account with hundreds or even thousands of dollars in unexpected charges.

By default, Vercel already activates an anti-DDoS tool, which can be monitored in the Firewall section of each Vercel project. Here, you can see the number of allowed, challenged, and denied requests within the past 24 hours.

If you suspect a DDoS or want to prevent potential attacks proactively, you can activate the Attack Challenge Mode.

On the same Firewall page in Vercel, another important security measure is available: Vercel WAF rate limiting. Rate limiting restricts the number of times a single user can access an endpoint. This can be enabled by creating a new firewall rule, setting a specific request path as the trigger, and choosing "rate limiting" as the action. (Note that at the time of writing, this feature is available only to Pro users.)

Lastly, and probably most effectively, consider using an external anti-DDoS mechanism such as Cloudflare. You've probably encountered this method before—it typically displays a captcha before loading a webpage.

Avoiding Surprise Costs from Media Storage

One of the most expensive aspects of Vercel is media storage and delivery, which can become particularly problematic during DDoS attacks. Attackers frequently target resource-intensive operations like image loading, quickly exhausting bandwidth allocations and causing unexpected costs.

To mitigate this risk, the best solution is to use AWS S3 for media storage instead of Vercel’s built-in storage. AWS S3 provides stronger scaling capabilities and usually offers more predictable pricing during traffic spikes. By configuring your S3 bucket with the right permissions and integrating it with your Vercel deployment, you can offload bandwidth-heavy media requests to AWS infrastructure, which handles high traffic more efficiently.

The Vercel Image Optimization service is particularly vulnerable to cost explosions. Although it offers convenient on-the-fly image resizing and optimization, each resize operation counts against your quota and incurs costs. During a DDoS attack, attackers may intentionally request multiple variations of images, quickly exhausting your quota and generating significant additional charges.

Conclusion

Despite these cost concerns, Vercel offers valuable security advantages for Next.js applications; Consider the recent Next.js critical vulnerability CVE-2025-29927. while it affected applications across platforms, Vercel users received automatic security patches immediately. As the company behind Next.js, Vercel typically deploys framework-level security fixes before most developers even become aware of vulnerabilities. This automatic protection layer can justify Vercel's costs when compared to the potential expenses of security incidents and engineering time needed to manually patch vulnerabilities on self-hosted solutions.