- SSL & Headers
- Open Port Scan
- .env/.git Leaks
- WP Username Spy
- Executive PDF
- Cost$29 per-domain scan
Free Next.js Security Scanner
Detect exposed API routes, SSR/SSRF vulnerabilities, NEXT_PUBLIC_ env leaks, and missing hardening — with copy-paste fixes written for Next.js. No signup, full audit in ~60 seconds.
Scan Your Next.js App Now
Our AI-powered scanner detects Next.js-specific vulnerabilities including API route exposure, CORS issues, and missing security headers.
Ready to scan.
The Kill Chain
Attacker's view of exposureExposed Assets
File Leaks
Compliance
Vulnerability Table
Severity badges highlight riskAttack Surface Map
Observed exposure pointsCompliance Mapping
OWASP + ISO alignmentEvidence Mode
HTTP signals capturedWhy Agencies Choose Us
- SSL & Headers
- Open Port Scan
- .env/.git Leaks
- WP Username Spy
- Executive PDF
- CostFree
- SSL & Headers
- Open Port Scan
- .env/.git Leaks
- WP Username Spy
- Executive PDF
- Cost$1,500+
API Route Security
Detects exposed /api/* endpoints without authentication, rate limiting, or input validation. Checks for IDOR vulnerabilities and unauthorized data access.
Environment Variable Leaks
Checks for NEXT_PUBLIC_ variables that may accidentally expose API keys, database URLs, or secrets to the client-side JavaScript bundle.
Security Headers
Validates CSP, HSTS, X-Frame-Options, and other headers. Checks next.config.js header configuration and Vercel deployment settings.
SSR & SSRF Detection
Identifies Server-Side Request Forgery risks in getServerSideProps and Server Components. Checks for unvalidated URL parameters used in server-side fetches.
CORS Configuration
Validates Cross-Origin Resource Sharing settings on API routes. Detects wildcard origins, credential reflection, and missing preflight handling.
Dependency Audit
Checks for known vulnerabilities in npm dependencies. Next.js apps average 500+ transitive dependencies — each is a potential attack vector.
Next.js Security Risks
Next.js is the most popular React framework, powering millions of production applications. Its hybrid SSR/CSR architecture creates unique security considerations that traditional SPA frameworks don't have.
1. Exposed API Routes
Next.js API routes (/api/*) are serverless functions that run on the server. By default, they have no authentication, no rate limiting, and no input validation. Any API route you create is publicly accessible.
// VULNERABLE — No authentication
// pages/api/users.js
export default async function handler(req, res) {
const users = await db.query('SELECT * FROM users');
res.json(users); // Exposes all user data!
}
// SECURE — With authentication and authorization
import { getServerSession } from 'next-auth';
export default async function handler(req, res) {
const session = await getServerSession(req, res, authOptions);
if (!session || session.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
const users = await db.query('SELECT id, name, email FROM users');
res.json(users);
}
2. Environment Variable Exposure
Variables prefixed with NEXT_PUBLIC_ are embedded in the client-side JavaScript bundle and visible to anyone. Never use this prefix for secrets.
# .env — DANGEROUS
NEXT_PUBLIC_DATABASE_URL=postgres://user:pass@host/db # Exposed to client!
NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_xxx # Exposed to client!
# .env — CORRECT
DATABASE_URL=postgres://user:pass@host/db # Server-only
STRIPE_SECRET_KEY=sk_live_xxx # Server-only
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx # Safe for client
3. Missing Security Headers
Next.js does not add security headers by default. You must configure them in next.config.js:
// next.config.js
module.exports = {
async headers() {
return [{
source: '/(.*)',
headers: [
{ key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self' 'unsafe-inline'" },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
],
}];
},
};
4. Server-Side Request Forgery (SSRF)
When getServerSideProps or Server Components fetch URLs based on user input, attackers can make the server request internal resources:
// VULNERABLE — User controls the URL
export async function getServerSideProps({ query }) {
const res = await fetch(query.url); // SSRF! User can request internal services
const data = await res.json();
return { props: { data } };
}
// SECURE — Validate and whitelist URLs
const ALLOWED_HOSTS = ['api.example.com', 'cdn.example.com'];
export async function getServerSideProps({ query }) {
const url = new URL(query.url);
if (!ALLOWED_HOSTS.includes(url.hostname)) {
return { notFound: true };
}
const res = await fetch(url.toString());
const data = await res.json();
return { props: { data } };
}
Next.js Security Checklist
- Authenticate all API routes — use NextAuth.js or custom middleware
- Add rate limiting to API routes (use
next-rate-limitor Vercel's built-in) - Validate all input with Zod, Joi, or similar
- Never prefix secrets with
NEXT_PUBLIC_ - Configure security headers in
next.config.js - Set up CORS properly for API routes
- Validate URLs in
getServerSidePropsto prevent SSRF - Use
dangerouslySetInnerHTMLonly with DOMPurify - Run
npm auditregularly and fix vulnerabilities - Enable Vercel's DDoS protection and WAF if deployed there
- Set up SPF, DKIM, and DMARC for your domain
- Schedule regular security scans
Related guides:
Frequently Asked Questions
What security risks are specific to Next.js?
Exposed API routes without authentication, NEXT_PUBLIC_ environment variable leaks, SSRF through getServerSideProps, missing security headers, and insecure middleware configurations. The hybrid SSR/CSR architecture creates unique attack surfaces.
How do I add security headers in Next.js?
Use the headers() function in next.config.js to add CSP, HSTS, X-Frame-Options, and other headers. For Vercel deployments, you can also use vercel.json.
Is Next.js secure by default?
Next.js provides some defaults (React auto-escaping, isolated API routes), but does NOT add security headers, authenticate API routes, or prevent NEXT_PUBLIC_ secret exposure. Developers must actively configure security.
Related Security Guides
Next.js Security Checklist 2026
Production hardening guide for React & Next.js apps.
Fix CORS Misconfiguration
How to correctly configure cross-origin resource sharing.
Fix Exposed .env Files
Prevent credential leaks from exposed environment files.
Security Headers Checklist
CSP, HSTS, and cookie hardening — complete 2026 guide.
Attackers scan your site every day. Watch what they find — and how one report shuts them out.
A real site, a real scan: 27 hidden issues exposed in 60 seconds — exposed credentials, open database ports, spoofable email — then fixed the same day with the copy-paste code inside the $29 report, verified with free re-scans until the score climbs from 67 to 90, and sealed with a Verified Secure badge your visitors can see. The same recon a consultant bills $1,500+ for.