Fullstory x Deployment Protection Workaround

Help
1

My team is currently attempting to integrate FullStory Analytics with our NextJS application. In production there are no issues, but we need to support preview deployment e2e testing, where we have deployment protection enabled via password / auth.

The issue is that FullStoryBot, their method of fetching CSS and asset resources from sites, is unable to bypass deployment protection and thus cannot retrieve CSS or images during session recording playbacks (viewing user sessions on preview deployments looks like unstyled HTML pages).

FullStory’s recommend solution is to “allowlist traffic based on the existence of “FullStoryBot” in the User-Agent string”, but Vercel doesn’t seem to support this behavior through the UI. We understand and have used “protection bypass for automation” and “OPTIONS allowlist” before, but FullStoryBot isn’t customizable enough to leverage these methods.

TLDR: We’re at a middle ground of sorts where neither platform is customizable enough to allow each other to communicate, but we’re curious whether the Vercel support team could help us find a workaround. We’re on Vercel’s enterprise plan.

5

Unfortunately the only options from Vercel’s end is to set the bypass deploy protection secret either as a header in the request or as a query param. If they don’t allow you to configure the header, maybe you can cheat by giving them your application URL with the bypass header as a query param already included?

On our side we cannot use the user agent as a password to unlock deployment protection as those are easily set by anyone in any request and from a security standpoint would be akin to removing deployment protection entirely—which is an option available to you.

You could disable deployment protection for your preview deploys and move the auth responsibility from Vercel to inside your app code.Vercel’s System Environment variables can detect when you’re inside a preview environment to enforce specific auth or limit log-in to specific users.

6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.