Next.js Security Scanner: Free Tool to Find Vulnerabilities in Your App
Scan your Next.js application for security vulnerabilities with our free online Next.js Security Checker. Detect exposed API routes, missing headers, SSRF risks, and misconfigured security settings.
Next.js Security Scanner: Free Tool to Find Vulnerabilities in Your App
Next.js is the most popular React framework, powering production applications for Netflix, TikTok, Twitch, and hundreds of thousands of businesses. But its powerful features — Server-Side Rendering (SSR), API Routes, Server Actions, and middleware — introduce unique security considerations that many developers overlook.
The Next.js Security Checker by Jayax.dev scans your Next.js application for 15+ framework-specific security issues — from exposed API routes to missing security headers and Server-Side Request Forgery (SSRF) risks.
Why Next.js Security Is Different
Framework-Specific Attack Vectors
Next.js introduces security concerns that don't exist in standard React applications:
| Feature | Security Risk |
|---------|---------------|
| API Routes (/api/*) | Unauthenticated endpoints, rate limiting |
| Server Actions | CSRF, injection attacks |
| getServerSideProps | SSRF via URL parameters |
| Image Optimization (/_next/image) | SSRF, denial of service |
| Middleware | Bypass vulnerabilities |
| Environment variables | Leakage to client bundle |
| _next/data/ routes | Data exposure, enumeration |
Common Next.js Security Mistakes
- Exposing environment variables to the client — only
NEXT_PUBLIC_*should be client-accessible - No authentication on API routes — anyone can call
/api/*endpoints - Missing security headers — Next.js doesn't set CSP, HSTS, or X-Frame-Options by default
- Unrestricted image optimization —
/_next/image?url=can be abused for SSRF - Server Actions without CSRF protection — cross-site request forgery
- Verbose error messages in production — exposing stack traces and code
What the Next.js Security Checker Scans
1. Security Headers
Content-Security-Policy (CSP)
- What it checks: Whether CSP headers are configured in
next.config.jsor middleware - Why it matters: Without CSP, your app is vulnerable to XSS attacks through injected scripts
- How to fix: Add CSP headers in
next.config.js:
// next.config.js
const securityHeaders = [
{
key: 'Content-Security-Policy',
value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
}
]
module.exports = {
async headers() {
return [{ source: '/(.*)', headers: securityHeaders }]
}
}
Strict-Transport-Security (HSTS)
- What it checks: Whether HSTS is enabled
- Why it matters: Forces HTTPS, prevents downgrade attacks
- How to fix: Add
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options
- What it checks: Clickjacking protection
- Why it matters: Prevents your app from being embedded in malicious iframes
- How to fix: Add
X-Frame-Options: DENYor configure CSPframe-ancestors
Permissions-Policy
- What it checks: Browser feature permissions
- Why it matters: Controls access to camera, microphone, geolocation, etc.
- How to fix: Add
Permissions-Policy: camera=(), microphone=(), geolocation=()
2. API Route Security
API Route Discovery
- What it checks: Whether API routes are discoverable and potentially unauthenticated
- Why it matters: Exposed API endpoints without authentication leak data
- How to fix: Add authentication middleware to all API routes:
// middleware.ts
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'
export function middleware(request: NextRequest) {
// Check authentication for API routes
if (request.nextUrl.pathname.startsWith('/api/')) {
const token = request.cookies.get('auth-token')
if (!token) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
}
return NextResponse.next()
}
Rate Limiting on API Routes
- What it checks: Whether API routes have rate limiting
- Why it matters: Without rate limiting, attackers can brute-force endpoints
- How to fix: Implement rate limiting using Upstash Ratelimit or custom middleware
3. Next.js-Specific Checks
Image Optimization SSRF
- What it checks: Whether
/_next/imageendpoint accepts arbitrary URLs - Why it matters: Attackers can use your server as a proxy to access internal resources
- How to fix: Configure
images.remotePatternsinnext.config.js:
module.exports = {
images: {
remotePatterns: [
{ protocol: 'https', hostname: 'your-domain.com' },
],
},
}
Environment Variable Leakage
- What it checks: Whether sensitive environment variables are exposed to the client
- Why it matters: Variables without
NEXT_PUBLIC_prefix should never reach the client bundle - How to fix: Only use
NEXT_PUBLIC_*for non-sensitive values. Keep API keys, secrets, and credentials server-side only
Build ID Exposure
- What it checks: Whether the Next.js build ID is exposed
- Why it matters: Reveals deployment information and can be used for cache poisoning
- How to fix: Configure
generateBuildIdinnext.config.js
Source Map Exposure
- What it checks: Whether JavaScript source maps are accessible in production
- Why it matters: Source maps expose your original source code including comments, variable names, and logic
- How to fix: Disable source maps in production:
productionBrowserSourceMaps: false
4. Server-Side Rendering Security
SSRF via URL Parameters
- What it checks: Whether server-side functions accept arbitrary URLs
- Why it matters:
getServerSidePropswith user-controlled URLs can be exploited for SSRF - How to fix: Validate and whitelist allowed URLs. Never pass user input directly to
fetch()
Server Actions Security
- What it checks: Whether Server Actions have proper CSRF protection
- Why it matters: Next.js Server Actions can be called from any origin without protection
- How to fix: Implement CSRF tokens or use Next.js built-in origin checking
5. Infrastructure & Deployment
SSL/TLS Configuration
- What it checks: HTTPS enforcement and certificate validity
- Why it matters: All traffic should be encrypted in transit
- How to fix: Configure your hosting platform (Vercel, AWS, etc.) to enforce HTTPS
Cookie Security
- What it checks: Whether cookies use Secure, HttpOnly, and SameSite flags
- Why it matters: Insecure cookies can be stolen via XSS or sent over HTTP
- How to fix: Always set cookies with appropriate flags:
// Setting secure cookies in Next.js
import { cookies } from 'next/headers'
cookies().set('session', token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
maxAge: 60 * 60 * 24 * 7, // 1 week
})
How to Use the Next.js Security Checker
- Go to jayax.dev/tools/nextjs-security-checker
- Enter your Next.js application URL
- Click "Scan" — the tool analyzes your deployment
- Review results — categorized by severity and type
- Apply fixes — each finding includes specific code examples
- Re-scan — confirm vulnerabilities are resolved
Next.js Security Best Practices
Essential Configuration
// next.config.js — Production Security Headers
const ContentSecurityPolicy = `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' blob: data:;
font-src 'self';
connect-src 'self' https://api.yourdomain.com;
frame-ancestors 'none';
`
const securityHeaders = [
{ key: 'X-DNS-Prefetch-Control', value: 'on' },
{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
{ key: 'X-XSS-Protection', value: '1; mode=block' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
{ key: 'Content-Security-Policy', value: ContentSecurityPolicy.replace(/\n/g, '') },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
]
module.exports = {
async headers() {
return [{ source: '/(.*)', headers: securityHeaders }]
},
poweredByHeader: false, // Remove X-Powered-By header
}
Security Checklist
- [ ] Security headers configured in
next.config.js - [ ]
poweredByHeader: false— remove X-Powered-By header - [ ] Image optimization restricted to known domains
- [ ] API routes have authentication middleware
- [ ] Rate limiting on sensitive endpoints
- [ ] Environment variables properly scoped
- [ ] Source maps disabled in production
- [ ] CSRF protection on Server Actions
- [ ] Input validation on all user-supplied data
- [ ] Error pages don't leak stack traces
FAQ — Next.js Security Checker
Does the scanner work with Next.js App Router?
Yes. The scanner is compatible with both Pages Router and App Router (Next.js 13+). It checks for security issues specific to both routing paradigms.
Can it scan Next.js apps hosted on Vercel?
Yes. The scanner works with any publicly accessible Next.js deployment, including Vercel, AWS, Netlify, Railway, and self-hosted instances.
Is my application affected during the scan?
No. The scanner performs read-only, non-invasive checks. It does not send malicious payloads, attempt exploits, or modify your application in any way.
How often should I scan my Next.js application?
Scan after every deployment or at minimum monthly. Security is an ongoing process — new vulnerabilities are discovered regularly.
What about Next.js middleware security?
The scanner checks for common middleware misconfigurations including bypass vulnerabilities and improper authentication checks. For comprehensive middleware testing, we recommend manual code review.
Secure Your Next.js Application Now
Don't deploy with default settings. Run a free security scan and harden your Next.js application.
Related Articles:
- WordPress Security Checker Guide
- Laravel Security Audit Guide
- Website Security Checker Guide
- React Security Audit Guide
- Essential Web Development Security Tools
Harden your Next.js deployment in 60 seconds with the free Next.js Security Checker by Jayax.dev.