Skip to content
Brett Johnson — Docs

Incident Response

import { Aside } from ‘@astrojs/starlight/components’;

Severity Levels

LevelNameDescriptionResponse
P0CriticalSite down, booking broken, data breachImmediate (< 15 min)
P1HighCore page broken, form failing, DB unreachable< 1 hour
P2MediumNon-critical feature broken, visual regression< 4 hours
P3LowMinor bug, cosmetic issueNext business day

Response Process

  1. Detect — Better Uptime alert / Sentry spike / user report
  2. Assess — Check /api/status, Vercel logs, service status pages
  3. Contain — Rollback bad deploy or enable Cloudflare “Under Attack” mode
  4. Resolve — Apply fix via hotfix branch; see Release Process
  5. Post-mortem — Write brief post-mortem for P0/P1 incidents

Scenario Playbooks

Site Returning 5xx Errors

Terminal window
# 1. Check if a recent deployment caused it
# Vercel → Deployments → compare deploy time vs. incident start


# 2. If deployment caused it → instant rollback (see Deployment Runbook)


# 3. Otherwise check:
#    - Vercel function logs
#    - Environment variables still set
#    - External services: Supabase, Resend, HubSpot status pages

Booking Form Not Submitting

Common causes:

  • Missing environment variable (SUPABASE_SERVICE_ROLE_KEY, RESEND_API_KEY)
  • Supabase connection refused
  • Turnstile site/secret key mismatch
  • Rate limit exceeded (Upstash Redis)
Terminal window
# Check Vercel function logs for /api/booking
# Test Turnstile with the Cloudflare test key locally

Temporary mitigation: Update contact page to show fallback email address. Deployable in < 5 minutes.

Suspected Data Breach

Immediate actions (within 15 minutes):

  1. Rotate ALL secrets immediately:

    • Supabase service role key
    • Resend API key
    • HubSpot private app token
    • Cloudflare R2 access keys
    • Turnstile secret key
    • Upstash Redis credentials

  2. Update rotated secrets in Vercel Environment Variables

  3. Invalidate all active Supabase sessions

  4. Review access logs (Supabase, Vercel, Cloudflare Security Events)

  5. If leads table was accessed improperly:

    • Document what was accessed (row count, time range)
    • GDPR: EU resident PII breach → 72-hour notification requirement
    • Notify Brett Johnson + legal counsel immediately

DDoS on Booking Form

Terminal window
# Cloudflare absorbs most attacks automatically
# Check CF Security → Events for threat traffic


# If not caught automatically:
# CF dashboard → Security → "I'm Under Attack" mode
# (adds JS challenge to ALL visitors — use as last resort)


# WAF rule to add if targeted:
# Block IPs sending > 20 req/min to /api/booking

Key Contacts & URLs

ResourceURL
Vercel Dashboardhttps://vercel.com/dashboard
Vercel Statushttps://vercel-status.com
Supabase Dashboardhttps://app.supabase.com
Supabase Statushttps://status.supabase.com
Cloudflare Dashboardhttps://dash.cloudflare.com
Cloudflare Statushttps://www.cloudflarestatus.com
Sentryhttps://sentry.io
Upstash Consolehttps://console.upstash.com
Lead EngineerJesse Lucus / VLN Security