Next.js Security
Detects Next.js-specific security anti-patterns: middleware bypass, header misuse, environment-variable leaks, XSS vectors.
Next.js inverts several assumptions about where code runs. use server files have full Node access; client components expose every process.env.NEXT_PUBLIC_* variable to browsers; middleware runs at the edge with limited APIs. Each boundary has its own security pitfalls. This analysis surfaces patterns that cross those boundaries incorrectly.
Severity guide
- info
- A security-related pattern is present; verify intent.
- warning
- A pattern may leak data or weaken security guarantees; review and tighten.
- critical
- A pattern actively leaks sensitive data or creates an exploit path; fix immediately.
Remediation
Audit boundary-crossing data flows (server→client, environment vars, middleware); use NEXT_PUBLIC_ only for non-sensitive values.
Server actions must validate inputs server-side regardless of client validation. Environment variables not prefixed with NEXT_PUBLIC_ stay server-only — never log them in client components. Middleware that conditionally authorizes routes must handle the edge runtime constraints explicitly.