Next.js Security Checklist: 18-Item Guide for App Router & Pages Router

TL;DR

This 18-item checklist covers critical Next.js security configurations: API routes, middleware, server components, and security headers. 6 critical items must be fixed before launch, 7 important items within the first week, and 5 recommended items when you can.

Quick Checklist (5 Critical Items)

Secrets don't have NEXT_PUBLIC_ prefixNEXT_PUBLIC_ variables are exposed to the browser

All protected routes check authenticationUse getServerSession() or auth library in every API route

Auth middleware protects private routesUse middleware.ts to guard /dashboard, /api, etc.

Server actions validate authenticationCheck session in every server action that modifies data

NEXTAUTH_SECRET set in productionMust be set for production - generate with openssl rand -base64 32

Environment Variables 3

Secrets don't have NEXT_PUBLIC_ prefixNEXT_PUBLIC_ variables are exposed to the browser. How to separate client/server keys

.env.local in .gitignoreLocal environment files should never be committed. How to secure env files

Production env vars set in hosting platformVercel, Railway, etc. should have production secrets configured. How to configure env variables

API Routes (App Router) 4

All protected routes check authenticationUse getServerSession() or auth library in every route. How to implement auth checks

Authorization checked for resource accessVerify user owns/can access the resource they're requesting. How to implement authorization

Input validated with Zod or similarParse and validate request body before using. How to validate inputs

Rate limiting on sensitive endpointsLogin, signup, password reset should be rate limited. How to implement rate limiting

Middleware 2

Auth middleware protects private routesUse middleware.ts to guard /dashboard, /api, etc. How to set up auth middleware

Matcher config is correctVerify middleware runs on intended routes only. How to configure middleware matcher

Server Components & Server Actions 3

Server actions validate authenticationCheck session in every server action that modifies data. How to secure server actions

::checklist-item{label="Sensitive data not passed to client components" description="Don't pass secrets, full user objects, or internal IDs to "use client". How to secure client data"} :: ::checklist-item{label="server-only package used for sensitive modules" description="Import "server-only" to prevent accidental client bundling. How to use server-only package"} ::

Security Headers 3

Content-Security-Policy configuredSet in next.config.js headers or middleware. How to configure CSP

X-Frame-Options setDENY or SAMEORIGIN to prevent clickjacking. How to prevent clickjacking

Strict-Transport-Security configuredForce HTTPS with HSTS header. How to enable HSTS

Authentication (NextAuth/Auth.js) 3

NEXTAUTH_SECRET set in productionMust be set for production - generate with openssl rand -base64 32. How to configure NEXTAUTH_SECRET

Callbacks don't leak sensitive dataCheck jwt and session callbacks for exposed data. How to secure NextAuth callbacks

Session strategy appropriateUse JWT for stateless, database sessions for revocation needs. How to choose session strategy

How to Use This Checklist

Go through each item before deploying your Next.js project. Open browser DevTools, go to Network tab, and check what data your app is sending. Look for exposed tokens, full database records, or sensitive fields.

How do I secure Next.js API routes?

Check authentication in every API route using getServerSession() or your auth library. Verify the user has permission to access the requested resource. Validate all inputs with Zod or similar. Implement rate limiting on sensitive endpoints.

What security headers should I add to Next.js?

Add X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Strict-Transport-Security (for HTTPS), and Content-Security-Policy. Configure these in next.config.js headers() function.

How do I prevent exposing secrets in Next.js?

Never use NEXT_PUBLIC_ prefix for secrets. Use the "server-only" package for modules with sensitive code. Keep secrets in Server Components and API routes only. Never pass sensitive data as props to client components.