Is my Next.js app secure?

Next.js provides some security defaults, but most applications we audit have at least one critical vulnerability. Common issues include exposed API routes without authentication, client-side environment variable leaks through NEXT_PUBLIC_ prefixes, source map exposure revealing business logic and SSR injection flaws. A security audit from Sherlock Forensics identifies these issues before attackers do.

What security issues are specific to Next.js?

Next.js introduces framework-specific attack surfaces including SSR injection through unsanitized user input in server-rendered pages, API route exposure without proper authentication middleware, middleware bypass through path manipulation, NEXT_PUBLIC_ environment variable leaks embedding secrets in client bundles, ISR cache poisoning that serves malicious content to all users and getServerSideProps data leakage exposing server-side data in page props.

Can you audit Vercel deployments?

Yes. Sherlock Forensics audits Next.js applications deployed on Vercel, including serverless function security, edge middleware configuration, environment variable management, preview deployment exposure and Vercel-specific headers and caching behavior. We also audit Next.js applications deployed on AWS, Google Cloud, self-hosted servers and other platforms.

How do I protect API routes in Next.js?

Protect Next.js API routes by implementing authentication middleware on every route, validating and sanitizing all input, using rate limiting, implementing CORS policies, avoiding sensitive data in client-accessible responses and using Next.js middleware for centralized auth checks. Never rely on client-side checks alone. Sherlock Forensics tests all your API routes for authentication bypass, injection flaws and data exposure.

Does Next.js need a pentest?

If your Next.js application handles user data, processes payments or contains proprietary business logic, it needs a penetration test. Next.js applications have unique attack surfaces that generic web scanners miss, including SSR injection, middleware bypass and ISR cache poisoning. Sherlock Forensics offers Next.js-specific audits from $1,500 CAD.

Next.js Security

Next.js Security Audit

Built your SaaS with Next.js and Vercel? We audit it.

Sherlock Forensics provides Next.js security audits covering SSR injection, API route exposure, middleware bypass, client-side environment variable leaks (NEXT_PUBLIC_), source map exposure, getServerSideProps data leakage, ISR cache poisoning and misconfigured rewrites. Quick audits from $1,500 CAD. Standard penetration tests from $5,000 CAD.

Next.js powers thousands of SaaS applications, marketing sites and e-commerce platforms. Its hybrid rendering model blurs the line between server and client, creating unique attack surfaces that traditional web scanners cannot detect. API routes sit alongside page routes with no authentication by default. Environment variables prefixed with NEXT_PUBLIC_ get bundled into client JavaScript for anyone to read. Server-side rendering introduces injection vectors that only exist at render time. We know where Next.js applications break because we test them every week.

Order a Quick Audit - $1,500 Scope a Full Pentest

What We Find

Next.js Vulnerabilities We Test For

01 - SSR

SSR Injection

Server-side rendering in Next.js executes code on the server before sending HTML to the browser. When user input flows into getServerSideProps or server components without sanitization, attackers can inject payloads that execute during the render cycle. This can lead to data exfiltration from the server environment, access to internal APIs and server-side request forgery. We trace data flow from user input through server rendering functions to identify injection points that only manifest during SSR.

02 - API

API Route Exposure

Next.js API routes in the /api directory are publicly accessible by default with no authentication, rate limiting or input validation. Developers frequently create internal API routes assuming they are only called by their own frontend, but every route under /api is a public HTTP endpoint. We enumerate all API routes, test each for authentication bypass, check for sensitive data exposure in responses and verify that authorization controls are enforced server-side rather than relying on client-side routing.

03 - Middleware

Middleware Bypass

Next.js middleware runs before route handlers and is commonly used for authentication checks, redirects and header manipulation. However, middleware matching is path-based and attackers can bypass it through path manipulation, trailing slashes, encoded characters and case variations. A middleware rule protecting /dashboard may not protect /Dashboard or /dashboard/. We systematically test middleware matching patterns to find bypass routes that expose protected content.

04 - ENV

Client-Side Env Leaks (NEXT_PUBLIC_)

Any environment variable prefixed with NEXT_PUBLIC_ is embedded directly into the client-side JavaScript bundle during build time. Developers frequently store API keys, internal service URLs, feature flags and configuration secrets using this prefix without understanding that the values become visible to every visitor. We analyze your client-side bundles to identify leaked environment variables and assess the impact of each exposed value, from inconvenient to critical.

05 - Maps

Source Map Exposure

Source maps allow developers to debug minified code but expose your entire application source code when left accessible in production. Next.js generates source maps by default in some configurations, and many Vercel deployments serve them publicly. Exposed source maps reveal business logic, API endpoints, authentication flows, internal comments and hardcoded values. We check for accessible .map files and assess what an attacker could learn from your exposed source code.

06 - Props

getServerSideProps Data Leakage

Data returned from getServerSideProps is serialized as JSON and embedded in the page HTML as __NEXT_DATA__. Developers sometimes return more data than the page component needs, including internal IDs, user roles, admin flags, full database records and sensitive configuration. This data is visible to anyone viewing the page source. We inspect __NEXT_DATA__ payloads across your application to identify over-exposed server-side data that could aid further attacks.

07 - ISR

ISR Cache Poisoning

Incremental Static Regeneration caches server-rendered pages and serves them to subsequent visitors. If an attacker can influence the content of a cached page through parameter manipulation, header injection or cookie-based rendering, that malicious content gets served to every visitor until the cache refreshes. We test your ISR-enabled pages for cache poisoning vectors including unkeyed headers, query parameter injection and session-dependent rendering that should not be cached.

08 - Rewrites

Misconfigured Rewrites and Redirects

Next.js rewrites and redirects in next.config.js can introduce open redirect vulnerabilities, SSRF through backend proxying and access control bypass through path rewriting. Rewrite rules that proxy requests to internal services can be manipulated to reach unintended endpoints. Redirect rules with user-controlled parameters enable phishing through open redirects. We analyze your rewrite and redirect configuration for security misconfigurations and test each rule for abuse potential.

Our Approach

How We Audit Next.js Applications

Route and API Enumeration

We map every page route, API route, middleware matcher and rewrite rule in your Next.js application. This includes dynamic routes, catch-all routes, parallel routes and route groups. We identify which routes have authentication middleware, which API endpoints are publicly accessible and which rewrites proxy to internal services. This gives us a complete attack surface map before testing begins.

Client Bundle Analysis

We extract and analyze your client-side JavaScript bundles to identify leaked environment variables, exposed API endpoints, hardcoded secrets and source maps. We review the __NEXT_DATA__ payload on every page type to find over-exposed server-side data. This static analysis reveals information disclosure issues that dynamic scanning misses.

Server-Side Testing

We test getServerSideProps, server actions, API routes and middleware for injection flaws, authentication bypass, authorization issues and data leakage. We verify that server-side code properly validates input, enforces access controls and does not leak internal state to client responses. Our testers understand the Next.js request lifecycle and know exactly where server-side vulnerabilities hide.

Deployment Configuration Review

We review your Vercel project settings, environment variable configuration, preview deployment access controls, edge function security and caching behavior. For self-hosted deployments, we assess your next.config.js, server configuration and reverse proxy setup. Misconfigured deployments are one of the most common sources of Next.js vulnerabilities we find.

Pricing

Next.js Security Engagements

Quick Audit - $1,500 CAD: Focused security review covering API route exposure, environment variable leaks, source map analysis, __NEXT_DATA__ inspection and common Next.js vulnerabilities. Ideal for early-stage SaaS applications and marketing sites. Delivered in 3-5 business days. Order online.
Standard Penetration Test - $5,000 CAD: Full penetration test for production Next.js applications. Covers all eight vulnerability categories, middleware bypass testing, ISR cache poisoning, rewrite/redirect abuse, authentication and authorization testing across all routes. For SaaS platforms with paying customers. Order online.
Comprehensive Assessment - $12,000 CAD: Full-scope assessment including source code review, infrastructure testing, CI/CD pipeline review, Vercel configuration audit and remediation support. For enterprise Next.js applications with complex architectures. Contact us to scope.

Frequently Asked Questions

Next.js Security FAQs

Is my Next.js app secure?: Next.js provides some sensible defaults, but the framework does not enforce authentication on API routes, does not prevent environment variable leaks through NEXT_PUBLIC_ prefixes and does not sanitize data passed through getServerSideProps. Most Next.js applications we audit have at least one critical finding. A quick audit from Sherlock Forensics identifies the most exploitable issues in your application.
What security issues are specific to Next.js?: Next.js introduces unique attack surfaces that do not exist in traditional web applications. These include SSR injection during server rendering, API route exposure without default authentication, middleware bypass through path manipulation, NEXT_PUBLIC_ environment variable leaks in client bundles, __NEXT_DATA__ over-exposure, ISR cache poisoning and rewrite/redirect abuse. Generic vulnerability scanners miss most of these.
Can you audit Vercel deployments?: Yes. We audit Next.js applications deployed on Vercel, AWS, Google Cloud, self-hosted servers and containerized environments. For Vercel specifically, we review environment variable configuration, preview deployment access, edge function security, serverless function timeout settings and caching behavior. We have audited dozens of production Vercel deployments.
How do I protect API routes in Next.js?: Implement authentication middleware on every API route. Validate and sanitize all input parameters. Use rate limiting to prevent abuse. Implement CORS policies that restrict which origins can call your APIs. Never return sensitive data in error responses. Use Next.js middleware for centralized authentication checks rather than duplicating logic in each route handler. Never trust client-side authentication checks alone.
Does Next.js need a pentest?: If your Next.js application handles user data, processes payments, contains proprietary business logic or serves paying customers, it needs a penetration test. The framework's hybrid rendering model creates attack surfaces that automated scanners cannot detect. Sherlock Forensics offers Next.js-specific security audits starting at $1,500 CAD with results delivered in 3-5 business days.

Get Started

Ship your Next.js app with confidence.

Quick audits from $1,500 CAD. Standard penetration tests from $5,000 CAD.

Order Online

Secure Your Next.js Application

Tell us about your Next.js stack, your deployment platform and your biggest security concerns. We will recommend the right level of assessment for your application.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada