[{"data":1,"prerenderedAt":220},["ShallowReactive",2],{"blog-checklists/nextjs-security-checklist":3},{"id":4,"title":5,"body":6,"category":197,"date":198,"dateModified":198,"description":199,"draft":200,"extension":201,"faq":202,"featured":200,"headerVariant":205,"image":206,"keywords":206,"meta":207,"navigation":208,"ogDescription":209,"ogTitle":206,"path":210,"readTime":206,"schemaOrg":211,"schemaType":212,"seo":213,"sitemap":214,"stem":215,"tags":216,"twitterCard":218,"__hash__":219},"blog/blog/checklists/nextjs-security-checklist.md","Next.js Security Checklist: 18-Item Guide for App Router & Pages Router",{"type":7,"value":8,"toc":191},"minimark",[9,16,19,22,47,62,81,92,101,116,130,135,138,160,179],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 18-item checklist covers critical Next.js security configurations: API routes, middleware, server components, and security headers. 6 critical items must be fixed before launch, 7 important items within the first week, and 5 recommended items when you can.",[13,17,18],{},"Next.js blurs the line between client and server in ways that make it easy to accidentally expose secrets or skip auth checks. The NEXT_PUBLIC_ prefix alone has caused more data leaks than most people realize. Whether you are on App Router or Pages Router, these are the items that actually matter before real users start hitting your endpoints.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"NEXT_PUBLIC_ variables are exposed to the browser","Secrets don't have NEXT_PUBLIC_ prefix",[27,32],{"description":33,"label":34},"Use getServerSession() or auth library in every API route","All protected routes check authentication",[27,36],{"description":37,"label":38},"Use middleware.ts to guard /dashboard, /api, etc.","Auth middleware protects private routes",[27,40],{"description":41,"label":42},"Check session in every server action that modifies data","Server actions validate authentication",[27,44],{"description":45,"label":46},"Must be set for production - generate with openssl rand -base64 32","NEXTAUTH_SECRET set in production",[23,48,51,54,58],{"title":49,"count":50},"Environment Variables","3",[27,52],{"description":53,"label":30},"NEXT_PUBLIC_ variables are exposed to the browser. How to separate client/server keys",[27,55],{"description":56,"label":57},"Local environment files should never be committed. How to secure env files",".env.local in .gitignore",[27,59],{"description":60,"label":61},"Vercel, Railway, etc. should have production secrets configured. How to configure env variables","Production env vars set in hosting platform",[23,63,66,69,73,77],{"title":64,"count":65},"API Routes (App Router)","4",[27,67],{"description":68,"label":34},"Use getServerSession() or auth library in every route. How to implement auth checks",[27,70],{"description":71,"label":72},"Verify user owns/can access the resource they're requesting. How to implement authorization","Authorization checked for resource access",[27,74],{"description":75,"label":76},"Parse and validate request body before using. How to validate inputs","Input validated with Zod or similar",[27,78],{"description":79,"label":80},"Login, signup, password reset should be rate limited. How to implement rate limiting","Rate limiting on sensitive endpoints",[23,82,85,88],{"title":83,"count":84},"Middleware","2",[27,86],{"description":87,"label":38},"Use middleware.ts to guard /dashboard, /api, etc. How to set up auth middleware",[27,89],{"description":90,"label":91},"Verify middleware runs on intended routes only. How to configure middleware matcher","Matcher config is correct",[23,93,95,98],{"title":94,"count":50},"Server Components & Server Actions",[27,96],{"description":97,"label":42},"Check session in every server action that modifies data. How to secure server actions",[13,99,100],{},"::checklist-item{label=\"Sensitive data not passed to client components\" description=\"Don't pass secrets, full user objects, or internal IDs to \"use client\". How to secure client data\"}\n::\n::checklist-item{label=\"server-only package used for sensitive modules\" description=\"Import \"server-only\" to prevent accidental client bundling. How to use server-only package\"}\n::",[23,102,104,108,112],{"title":103,"count":50},"Security Headers",[27,105],{"description":106,"label":107},"Set in next.config.js headers or middleware. How to configure CSP","Content-Security-Policy configured",[27,109],{"description":110,"label":111},"DENY or SAMEORIGIN to prevent clickjacking. How to prevent clickjacking","X-Frame-Options set",[27,113],{"description":114,"label":115},"Force HTTPS with HSTS header. How to enable HSTS","Strict-Transport-Security configured",[23,117,119,122,126],{"title":118,"count":50},"Authentication (NextAuth/Auth.js)",[27,120],{"description":121,"label":46},"Must be set for production - generate with openssl rand -base64 32. How to configure NEXTAUTH_SECRET",[27,123],{"description":124,"label":125},"Check jwt and session callbacks for exposed data. How to secure NextAuth callbacks","Callbacks don't leak sensitive data",[27,127],{"description":128,"label":129},"Use JWT for stateless, database sessions for revocation needs. How to choose session strategy","Session strategy appropriate",[131,132,134],"h2",{"id":133},"how-to-use-this-checklist","How to Use This Checklist",[13,136,137],{},"Go through each item before deploying your Next.js project. Open browser DevTools, go to Network tab, and check what data your app is sending. Look for exposed tokens, full database records, or sensitive fields.",[139,140,141,148,154],"faq-section",{},[142,143,145],"faq-item",{"question":144},"How do I secure Next.js API routes?",[13,146,147],{},"Check authentication in every API route using getServerSession() or your auth library. Verify the user has permission to access the requested resource. Validate all inputs with Zod or similar. Implement rate limiting on sensitive endpoints.",[142,149,151],{"question":150},"What security headers should I add to Next.js?",[13,152,153],{},"Add X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Strict-Transport-Security (for HTTPS), and Content-Security-Policy. Configure these in next.config.js headers() function.",[142,155,157],{"question":156},"How do I prevent exposing secrets in Next.js?",[13,158,159],{},"Never use NEXT_PUBLIC_ prefix for secrets. Use the \"server-only\" package for modules with sensitive code. Keep secrets in Server Components and API routes only. Never pass sensitive data as props to client components.",[161,162,163,169,174],"related-articles",{},[164,165],"related-card",{"description":166,"href":167,"title":168},"Complete guide to Next.js security","/blog/best-practices/nextjs","Next.js Security Guide",[164,170],{"description":171,"href":172,"title":173},"Frontend security for React","/blog/checklists/react-security-checklist","React Security Checklist",[164,175],{"description":176,"href":177,"title":178},"Deploy Next.js securely on Vercel","/blog/checklists/vercel-security-checklist","Vercel Security Checklist",[180,181,184,188],"cta-box",{"href":182,"label":183},"/","Start Free Scan",[131,185,187],{"id":186},"scan-your-nextjs-project","Scan Your Next.js Project",[13,189,190],{},"Our scanner checks for exposed secrets, missing auth, and security misconfigurations.",{"title":192,"searchDepth":193,"depth":193,"links":194},"",2,[195,196],{"id":133,"depth":193,"text":134},{"id":186,"depth":193,"text":187},"checklists","2026-01-30","Complete Next.js security checklist for both App Router and Pages Router. API routes, middleware, server components, and security headers.",false,"md",[203,204],{"question":144,"answer":147},{"question":150,"answer":153},"green",null,{},true,"Complete Next.js security checklist. API routes, middleware, server components.","/blog/checklists/nextjs-security-checklist","[object Object]","HowTo",{"title":5,"description":199},{"loc":210},"blog/checklists/nextjs-security-checklist",[217],"Security Checklist","summary_large_image","sZUR1icPmwRWgGP59ZMRVUwqnHgk4fD3lP60H2um7hE",1775843918547]