Next.js Launch Security Checklist: 18 Items Before Going Live

TL;DR

Next.js apps need attention to API routes, Server Components, environment variables, and middleware. Before launch, verify authentication on all protected routes, check NEXT_PUBLIC_ variables don't contain secrets, add security headers, and test Server Actions for authorization.

Next.js has both client and server code in the same project, which can lead to confusion about what runs where. This checklist covers Next.js-specific security concerns, from environment variables to Server Actions to API routes.

Environment Variables 4

Verify NEXT_PUBLIC_ usageOnly use NEXT_PUBLIC_ prefix for values safe to expose in browser

Check all env vars are set in productionMissing vars cause runtime errors. Verify in Vercel/deployment settings.

Search for hardcoded secretsGrep for api_key, sk_, pk_, password, secret, token in all files

Verify .env files are gitignoredCheck .gitignore includes .env, .env.local, .env.production.local

API Routes and Server Actions 4

Add authentication to all protected API routesCheck session/token in every route handler that requires login

Validate inputs in API routesUse Zod or similar to validate request bodies. Never trust client input.

Verify Server Actions check authorizationServer Actions can be called directly. Always verify user permissions.

Test API routes without authenticationCall /api/* endpoints directly without auth headers. Should return 401.

Authentication and Middleware 4

Configure middleware for protected routesUse middleware.ts to redirect unauthenticated users

Test protected pages without loginNavigate directly to /dashboard, /admin, /settings in incognito

Verify session handlingSessions should expire appropriately. Logout should clear all tokens.

Check CORS configuration (if needed)If API is called from other domains, configure CORS properly

Security Headers 3

Add security headers in next.config.jsAdd X-Frame-Options, X-Content-Type-Options, Referrer-Policy

Configure Content Security PolicyCSP prevents XSS. Start restrictive and loosen as needed.

Verify HTTPS redirecthttp:// should redirect to https://. Usually handled by hosting.

Database and Data 3

Use parameterized queriesNever concatenate user input into SQL. Use Prisma, Drizzle, or prepared statements.

Verify data access controlsCan User A access User B's data by changing IDs in requests?

Run automated security scanCatch issues you may have missed with manual review

What security checks should I do before deploying Next.js?

Before deploying Next.js, verify environment variables are set correctly (NEXT_PUBLIC_ only for client-safe values), add authentication to API routes, configure security headers, test Server Actions for proper authorization, and ensure database queries use parameterized statements.

How do I secure Next.js API routes?

Secure Next.js API routes by adding authentication middleware, validating request bodies with a schema validator like Zod, implementing rate limiting, checking user permissions for sensitive operations, and ensuring errors don't leak sensitive information.

Are Server Actions secure by default?

Server Actions run on the server but can be invoked directly from the client. They're not secure by default. You need to add authentication checks and input validation in every Server Action that modifies data or accesses protected resources.

Scan Your Next.js App

Automated scanning finds issues in API routes, env vars, and more.

Start Free Scan