AI QA Monkey
AI Security Intelligence
Enterprise-grade recon engine
Next.js · SSR & API Route Scanner

Free Next.js Security Scanner

Detect exposed API routes, SSR/SSRF vulnerabilities, NEXT_PUBLIC_ env leaks, and missing hardening — with copy-paste fixes written for Next.js. No signup, full audit in ~60 seconds.

API route auth NEXT_PUBLIC_ leaks SSR / SSRF Security headers CORS config Dependency audit

Scan Your Next.js App Now

Our AI-powered scanner detects Next.js-specific vulnerabilities including API route exposure, CORS issues, and missing security headers.

Initializing...

Ready to scan.

Penetration Test Report
Target: -- Date: --
Risk: --
DNS & Email Security
--
Awaiting scan
SSL / TLS Status
--
Awaiting scan
Security Headers
--
Awaiting scan
Ports & WAF
--
Awaiting scan
Files & Compliance
--
Awaiting scan
Technology
--
Awaiting scan
Vulnerability Analysis
--
Awaiting scan
Security Score
--
Awaiting scan

The Kill Chain

Attacker's view of exposure

Exposed Assets

    File Leaks

    Run a scan to detect file leaks.

    Compliance

      Premium Feature
      Unlock Full Report & Fixes - Only $29
      One-time fee per domain · No subscription

      Vulnerability Table

      Severity badges highlight risk
      Severity
      Issue
      Description
      Remediation
      Locked — full details inside
      Unlock Full Report & Fixes - Only $29
      One-time fee per domain · No subscription · 30-day money-back guarantee

      Attack Surface Map

      Observed exposure points
      Premium Feature
      Unlock Full Report & Fixes - Only $29
      One-time fee per domain · No subscription

      Compliance Mapping

      OWASP + ISO alignment
      Premium Feature
      Unlock Full Report & Fixes - Only $29
      One-time fee per domain · No subscription

      Evidence Mode

      HTTP signals captured
      Status: --
      Server: --
      Title: --

      Why Agencies Choose Us

      Best Value
      AI QA Monkey
      • SSL & Headers
      • Open Port Scan
      • .env/.git Leaks
      • WP Username Spy
      • Executive PDF
      • Cost$29 per-domain scan
      Free Tools
      • SSL & Headers
      • Open Port Scan
      • .env/.git Leaks
      • WP Username Spy
      • Executive PDF
      • CostFree
      Expensive Consultants
      • SSL & Headers
      • Open Port Scan
      • .env/.git Leaks
      • WP Username Spy
      • Executive PDF
      • Cost$1,500+

      API Route Security

      Detects exposed /api/* endpoints without authentication, rate limiting, or input validation. Checks for IDOR vulnerabilities and unauthorized data access.

      Environment Variable Leaks

      Checks for NEXT_PUBLIC_ variables that may accidentally expose API keys, database URLs, or secrets to the client-side JavaScript bundle.

      Security Headers

      Validates CSP, HSTS, X-Frame-Options, and other headers. Checks next.config.js header configuration and Vercel deployment settings.

      SSR & SSRF Detection

      Identifies Server-Side Request Forgery risks in getServerSideProps and Server Components. Checks for unvalidated URL parameters used in server-side fetches.

      CORS Configuration

      Validates Cross-Origin Resource Sharing settings on API routes. Detects wildcard origins, credential reflection, and missing preflight handling.

      Dependency Audit

      Checks for known vulnerabilities in npm dependencies. Next.js apps average 500+ transitive dependencies — each is a potential attack vector.

      Next.js Security Risks

      Next.js is the most popular React framework, powering millions of production applications. Its hybrid SSR/CSR architecture creates unique security considerations that traditional SPA frameworks don't have.

      1. Exposed API Routes

      Next.js API routes (/api/*) are serverless functions that run on the server. By default, they have no authentication, no rate limiting, and no input validation. Any API route you create is publicly accessible.

      // VULNERABLE — No authentication
      // pages/api/users.js
      export default async function handler(req, res) {
        const users = await db.query('SELECT * FROM users');
        res.json(users); // Exposes all user data!
      }
      
      // SECURE — With authentication and authorization
      import { getServerSession } from 'next-auth';
      export default async function handler(req, res) {
        const session = await getServerSession(req, res, authOptions);
        if (!session || session.user.role !== 'admin') {
          return res.status(403).json({ error: 'Forbidden' });
        }
        const users = await db.query('SELECT id, name, email FROM users');
        res.json(users);
      }

      2. Environment Variable Exposure

      Variables prefixed with NEXT_PUBLIC_ are embedded in the client-side JavaScript bundle and visible to anyone. Never use this prefix for secrets.

      # .env — DANGEROUS
      NEXT_PUBLIC_DATABASE_URL=postgres://user:pass@host/db  # Exposed to client!
      NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_xxx              # Exposed to client!
      
      # .env — CORRECT
      DATABASE_URL=postgres://user:pass@host/db              # Server-only
      STRIPE_SECRET_KEY=sk_live_xxx                          # Server-only
      NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx         # Safe for client

      3. Missing Security Headers

      Next.js does not add security headers by default. You must configure them in next.config.js:

      // next.config.js
      module.exports = {
        async headers() {
          return [{
            source: '/(.*)',
            headers: [
              { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self' 'unsafe-inline'" },
              { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
              { key: 'X-Frame-Options', value: 'DENY' },
              { key: 'X-Content-Type-Options', value: 'nosniff' },
              { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
              { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
            ],
          }];
        },
      };

      4. Server-Side Request Forgery (SSRF)

      When getServerSideProps or Server Components fetch URLs based on user input, attackers can make the server request internal resources:

      // VULNERABLE — User controls the URL
      export async function getServerSideProps({ query }) {
        const res = await fetch(query.url); // SSRF! User can request internal services
        const data = await res.json();
        return { props: { data } };
      }
      
      // SECURE — Validate and whitelist URLs
      const ALLOWED_HOSTS = ['api.example.com', 'cdn.example.com'];
      export async function getServerSideProps({ query }) {
        const url = new URL(query.url);
        if (!ALLOWED_HOSTS.includes(url.hostname)) {
          return { notFound: true };
        }
        const res = await fetch(url.toString());
        const data = await res.json();
        return { props: { data } };
      }

      Next.js Security Checklist

      1. Authenticate all API routes — use NextAuth.js or custom middleware
      2. Add rate limiting to API routes (use next-rate-limit or Vercel's built-in)
      3. Validate all input with Zod, Joi, or similar
      4. Never prefix secrets with NEXT_PUBLIC_
      5. Configure security headers in next.config.js
      6. Set up CORS properly for API routes
      7. Validate URLs in getServerSideProps to prevent SSRF
      8. Use dangerouslySetInnerHTML only with DOMPurify
      9. Run npm audit regularly and fix vulnerabilities
      10. Enable Vercel's DDoS protection and WAF if deployed there
      11. Set up SPF, DKIM, and DMARC for your domain
      12. Schedule regular security scans

      Related guides:

      Frequently Asked Questions

      What security risks are specific to Next.js?

      Exposed API routes without authentication, NEXT_PUBLIC_ environment variable leaks, SSRF through getServerSideProps, missing security headers, and insecure middleware configurations. The hybrid SSR/CSR architecture creates unique attack surfaces.

      How do I add security headers in Next.js?

      Use the headers() function in next.config.js to add CSP, HSTS, X-Frame-Options, and other headers. For Vercel deployments, you can also use vercel.json.

      Is Next.js secure by default?

      Next.js provides some defaults (React auto-escaping, isolated API routes), but does NOT add security headers, authenticate API routes, or prevent NEXT_PUBLIC_ secret exposure. Developers must actively configure security.

      Related Security Guides

      Live demo — 2 minutes

      Attackers scan your site every day. Watch what they find — and how one report shuts them out.

      A real site, a real scan: 27 hidden issues exposed in 60 seconds — exposed credentials, open database ports, spoofable email — then fixed the same day with the copy-paste code inside the $29 report, verified with free re-scans until the score climbs from 67 to 90, and sealed with a Verified Secure badge your visitors can see. The same recon a consultant bills $1,500+ for.

      aiqamonkey.com
      Free Scan
      Free 60-second scan · Full fix report $29 one-time · 30-day money-back guarantee
      Beyond the one-time scan

      Security isn't a one-time fix.
      It's a system that never sleeps.

      Attackers scan you every day, and new vulnerabilities ship every week. AI QA Monkey finds the holes, hands you the exact fix, then keeps watching — on an engine we update continuously so you're always tested against the latest threats.

      Find

      Scan & expose

      100+ checks across 15 attack surfaces map your full exposure the way an attacker sees it — exposed files, open ports, spoofable email, supply-chain risks and more.

      Fix

      Guided remediation

      Every finding ships with copy-paste server config, an AI Fix Prompt for ChatGPT / Claude / Cursor, and a step-by-step guide written for non-experts — backed by our library of 45+ in-depth fix guides.

      Monitor

      Watch continuously

      Automated daily or weekly re-scans track your score over time and email you the moment it drops or a new critical appears — so a regression never goes unnoticed.

      Live score tracking

      Watch your score climb — and stay up

      Fix an issue, re-scan, and see the proof. Monitoring plots your security score over time and flags any drop the moment it happens — the difference between catching a regression today and finding out after a breach.

      61 → 90Typical score lift
      DailyAutomated re-scans
      InstantDrop-alert emails
      Always improving

      Your checks never go stale

      As fresh CVEs, misconfigurations and attack techniques emerge, we build the detections straight into the engine — automatically. Recent additions include supply-chain & Magecart defense, known-CVE library scanning, client-side secret detection and source-map exposure — with more added continuously.

      • Supply-chain / Magecart
      • Known-CVE libraries
      • Client-side secrets
      • Source-map exposure
      • Full email trust suite
      45+ fix guides

      A guide for every fix

      Not sure how to apply a fix? Every issue links to a plain-English, step-by-step guide — updated as best practices evolve.

      Browse all 45 security guides
      Start free. Stay protected. Run your instant scan now — then keep the fixes flowing and the monitoring on.
      Plans & pricing

      Protection that fits how you work

      Start with a one-time audit, or stay protected with always-on monitoring. Every plan runs the same 100+ check engine — and that engine never stops growing.

      Your checks never go stale. We add new detections continuously — as fresh CVEs, misconfigurations, and attack techniques emerge, they’re built into the engine automatically. Every scan tests your site against the latest threats, with nothing for you to install or update.
      Start here · no signup

      One-Time Security Report

      Scan free in ~60 seconds and see your score. Pay once only if you want the full fix report — no account, no subscription, yours to keep forever.

      • Full 100+ check report
      • Interactive attack surface map
      • Copy-paste fixes + AI prompts
      • PDF · JSON · CSV exports
      • 30 days monitoring included
      Consultant rate $1,500+
      $29 one-time
      Run a free scan → Free scan first — pay only if you want the report · 30-day money-back
      Continuous protection

      Stay protected — never get caught off guard

      Always-on monitoring re-scans your site on your schedule and emails you the moment your score drops or a new critical vulnerability appears. Cancel anytime.

      Monitor

      Always-on early warning

      $7.99 / month
      Start monitoring
      • Daily or weekly automated re-scans, 1 domain
      • Email alerts on score drop or new critical
      • Score & vulnerability trend history
      • Always tested against newly-added checks
      • Report downloads not included

      Agency

      For teams & client work

      $79 / month
      Scale up
      • Monitor up to 10 domains
      • Daily or weekly, per domain
      • Up to 30 reports per domain / month
      • Presentation-ready PDF exports
      • Priority support

      All subscriptions are month-to-month — cancel anytime. One-time report is a single payment, no renewal. Prices in USD.