Current vs Expected Behavior:
Currently, all deployment thumbnails show “Error: Forbidden (403)” in the Vercel dashboard preview starting from commit f6d7fc7 (“unused files cleaning”). Even older rollback deployments now show the same error. Expected behavior: the thumbnail should show a screenshot of the actual homepage, as it did correctly before commit 3mECEEcdV. Steps to Reproduce:
Go to project deployments page
Look at any deployment from commit f6d7fc7 onwards
Thumbnail shows “Error: Forbidden” instead of homepage screenshot What I Have Already Checked:
Vercel Authentication → Disabled
Firewall Custom Rules → 0 (none)
Bot Protection → Inactive
Homepage has NO auth guards or route-level access control in code
Homepage loads correctly in incognito mode (200 OK)
Firewall Traffic logs show AWS IPs (13.56.233.188, 54.193.105.97, 54.67.70.172) hitting “/” and being denied by DDoS Mitigation
Tried redeploying and rolling back — issue persists on all deployments Project Information:
Project name: 1dreamscape-creation
Framework: React (MERN stack)
Plan: Hobby
Last working deployment: 3mECEEcdV
First broken deployment: f6d7fc7 (“unused files cleaning”) Suspicion:
Vercel’s internal screenshot/thumbnail service is being blocked by automatic DDoS Mitigation at the edge before requests reach the app. The live site works perfectly for all real users in browser and incognito mode.
Facing the same issue. From yesterday morning onwards after a commit that does not affect anything, tried by turning off the Vercel Authentication even though it was working earlier with Vercel Authentication. Asked the support bot it suggested it’s related to the Vercel Screenshot Service. The fixes as per the bot did not seem to work, looking forward to any communication. No issues when viewing the deployed site for users and incognito.
Vercel Authentication → Disabled
Firewall Custom Rules → 0 (none)
Bot Protection → Inactive
Homepage has NO auth guards or route-level access control in code
Homepage loads correctly in incognito mode (200 OK)
Project name: v2-portfolio
Framework: Next.js
Plan: Hobby
Last Working Deployment: Dk5GrntmL
First broken deployment: ff86984 (chore: update tsconfig.json)
These appear to be Vercel’s own thumbnail/screenshot service being blocked by DDoS Mitigation.
This was working fine before and started happening recently. Since I’m on Hobby plan, I don’t have access to System Bypass Rules to whitelist these IPs manually.
Could someone help unblock these IPs or reset the DDoS Mitigation rule for my project?
Its the same for me too. Two days now my previews are broken and on top of that several users are getting denials from Vercel DDOS mitigation, including my self and my colleague. Since today I have 1 custom rule to
Exact same situation here I am also facing lot of random DDos mitigation issues for genuine traffic.
Even my trusted frontend is getting denied to fetch resource from my backend !
Has anyone identified a solution for this issue? The Vercel team has not yet responded, and for the past few days, I have been unable to use my web application, with my APIs rendered entirely inoperable.
It’s interesting how this could be an inter-vercel issue, I have the same problem now for a couple of days, and I also refactored my project into a turbo monorepo two days ago, and thought this is some problem with my refactor. Asked Codex to investigate, and it gave me a link to this thread. I want to add that the favicons also disappeared in vercel dashboard when the thumbnails started showing that Error 403 forbidden message instead of the actual home page screenshot.
I also have Bot protection and AI Bots management turned off for those projects, and i see DDoS protection invoked by agent `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/141.0.7390.0 Safari/537.36` trying to access / coming from Amazon.com, Inc IPs
Facebook’s link-preview crawler (facebookexternalhit) returns 403 on
the apex domain https://wellow.fyi, while every other social
crawler I’ve tested (Twitterbot, Slackbot, LinkedInBot, Discordbot,
WhatsApp) returns 200 from the same host with the same path. From
my own IP using curl -A "facebookexternalhit/1.1" I also get 200,
which means the 403 only fires for traffic actually coming from
Meta’s crawler IP range — pointing at edge-side IP-level treatment
that I have no project-level setting to control.
This is breaking Instagram DM and Facebook link previews for the
site. I’ve already gone through the obvious checklist and ruled
everything out (details below) — appears to be something Meta-IP-
specific at Vercel’s edge.
Thank you for bringing this to our attention. To ensure this is investigated with the necessary priority and privacy, please report all security-related concerns, potential exploits, or abuse directly to the Vercel Security Team.
Reporting via this official channel is the fastest way to reach our security engineers and ensures that sensitive information is handled in a secure environment rather than a public forum.
I’m facing an issue with the screenshot preview in Vercel. My project is a simple static site (HTML, CSS, JS), and the deployment itself works perfectly — the site is accessible and returns 200 OK.
However, in the Vercel dashboard, the screenshot preview shows “403 Forbidden”.
Details:
Project type: Static (no backend, no middleware, no vercel.json)
Deployment status: Successful
Site accessibility: Works fine in browser
curl -I result:
HTTP/1.1 200 OK
X-Vercel-Cache: HIT
I did not implement any bot blocking, headers, or authentication
Issue persists even after waiting several hours and redeploying
What I’ve tried:
Redeploying (with and without cache)
Creating a fresh deployment
Verifying there’s no custom config or blocking logic
Question:
Is this a known issue or limitation with the preview screenshot system?
Is there any way to force the preview to regenerate correctly?
Thank you for bringing this to our attention. To ensure this is investigated with the necessary priority and privacy, please report all security-related concerns, potential exploits, or abuse directly to the Vercel Security Team.
Reporting via this official channel is the fastest way to reach our security engineers and ensures that sensitive information is handled in a secure environment rather than a public forum.
