[{"data":1,"prerenderedAt":206},["ShallowReactive",2],{"blog-launch/nextjs-app":3},{"id":4,"title":5,"body":6,"category":184,"date":185,"dateModified":185,"description":186,"draft":187,"extension":188,"faq":189,"featured":187,"headerVariant":192,"image":193,"keywords":193,"meta":194,"navigation":195,"ogDescription":196,"ogTitle":193,"path":197,"readTime":193,"schemaOrg":198,"schemaType":199,"seo":200,"sitemap":201,"stem":202,"tags":203,"twitterCard":204,"__hash__":205},"blog/blog/launch/nextjs-app.md","Next.js Launch Security Checklist: 18 Items Before Going Live",{"type":7,"value":8,"toc":178},"minimark",[9,19,22,25,47,66,85,101,116,138,143,146,149],[10,11,12,16],"tldr",{},[13,14,15],"p",{},"TL;DR",[13,17,18],{},"Next.js apps need attention to API routes, Server Components, environment variables, and middleware. Before launch, verify authentication on all protected routes, check NEXT_PUBLIC_ variables don't contain secrets, add security headers, and test Server Actions for authorization.",[20,21],"print-button",{},[13,23,24],{},"Next.js has both client and server code in the same project, which can lead to confusion about what runs where. This checklist covers Next.js-specific security concerns, from environment variables to Server Actions to API routes.",[26,27,30,35,39,43],"checklist-section",{"count":28,"title":29},"4","Environment Variables",[31,32],"checklist-item",{"description":33,"label":34},"Only use NEXT_PUBLIC_ prefix for values safe to expose in browser","Verify NEXT_PUBLIC_ usage",[31,36],{"description":37,"label":38},"Missing vars cause runtime errors. Verify in Vercel/deployment settings.","Check all env vars are set in production",[31,40],{"description":41,"label":42},"Grep for api_key, sk_, pk_, password, secret, token in all files","Search for hardcoded secrets",[31,44],{"description":45,"label":46},"Check .gitignore includes .env, .env.local, .env.production.local","Verify .env files are gitignored",[26,48,50,54,58,62],{"count":28,"title":49},"API Routes and Server Actions",[31,51],{"description":52,"label":53},"Check session/token in every route handler that requires login","Add authentication to all protected API routes",[31,55],{"description":56,"label":57},"Use Zod or similar to validate request bodies. Never trust client input.","Validate inputs in API routes",[31,59],{"description":60,"label":61},"Server Actions can be called directly. Always verify user permissions.","Verify Server Actions check authorization",[31,63],{"description":64,"label":65},"Call /api/* endpoints directly without auth headers. Should return 401.","Test API routes without authentication",[26,67,69,73,77,81],{"count":28,"title":68},"Authentication and Middleware",[31,70],{"description":71,"label":72},"Use middleware.ts to redirect unauthenticated users","Configure middleware for protected routes",[31,74],{"description":75,"label":76},"Navigate directly to /dashboard, /admin, /settings in incognito","Test protected pages without login",[31,78],{"description":79,"label":80},"Sessions should expire appropriately. Logout should clear all tokens.","Verify session handling",[31,82],{"description":83,"label":84},"If API is called from other domains, configure CORS properly","Check CORS configuration (if needed)",[26,86,89,93,97],{"count":87,"title":88},"3","Security Headers",[31,90],{"description":91,"label":92},"Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy","Add security headers in next.config.js",[31,94],{"description":95,"label":96},"CSP prevents XSS. Start restrictive and loosen as needed.","Configure Content Security Policy",[31,98],{"description":99,"label":100},"http:// should redirect to https://. Usually handled by hosting.","Verify HTTPS redirect",[26,102,104,108,112],{"count":87,"title":103},"Database and Data",[31,105],{"description":106,"label":107},"Never concatenate user input into SQL. Use Prisma, Drizzle, or prepared statements.","Use parameterized queries",[31,109],{"description":110,"label":111},"Can User A access User B's data by changing IDs in requests?","Verify data access controls",[31,113],{"description":114,"label":115},"Catch issues you may have missed with manual review","Run automated security scan",[117,118,119,126,132],"faq-section",{},[120,121,123],"faq-item",{"question":122},"What security checks should I do before deploying Next.js?",[13,124,125],{},"Before deploying Next.js, verify environment variables are set correctly (NEXT_PUBLIC_ only for client-safe values), add authentication to API routes, configure security headers, test Server Actions for proper authorization, and ensure database queries use parameterized statements.",[120,127,129],{"question":128},"How do I secure Next.js API routes?",[13,130,131],{},"Secure Next.js API routes by adding authentication middleware, validating request bodies with a schema validator like Zod, implementing rate limiting, checking user permissions for sensitive operations, and ensuring errors don't leak sensitive information.",[120,133,135],{"question":134},"Are Server Actions secure by default?",[13,136,137],{},"Server Actions run on the server but can be invoked directly from the client. They're not secure by default. You need to add authentication checks and input validation in every Server Action that modifies data or accesses protected resources.",[139,140,142],"h3",{"id":141},"scan-your-nextjs-app","Scan Your Next.js App",[13,144,145],{},"Automated scanning finds issues in API routes, env vars, and more.",[13,147,148],{},"Start Free Scan",[150,151,152,158,163,168,173],"related-articles",{},[153,154],"related-card",{"description":155,"href":156,"title":157},"Security checklist for enterprise demos. 14 essential items to verify before presenting to enterprise customers, coverin","/blog/launch/enterprise-demo","Enterprise Demo Security Checklist: 14 Items Before Customer Demos",[153,159],{"description":160,"href":161,"title":162},"Pre-launch security checklist for Firebase backends. 16 essential items covering security rules, authentication, API key","/blog/launch/firebase-backend","Firebase Backend Launch Security Checklist: 16 Items Before Going Live",[153,164],{"description":165,"href":166,"title":167},"Security checklist for funding rounds. 14 essential items to verify before raising capital, covering due diligence prepa","/blog/launch/funding-round","Funding Round Security Checklist: 14 Items Before Raising Capital",[153,169],{"description":170,"href":171,"title":172},"Security checklist for public API launches. 16 essential items to verify before opening your API to external developers,","/blog/launch/api-public-launch","API Public Launch Security Checklist: 16 Items Before Opening Your API",[153,174],{"description":175,"href":176,"title":177},"Security checklist for beta launches. 14 essential items to verify before inviting your first beta users, including data","/blog/launch/beta-launch","Beta Launch Security Checklist: 14 Items Before Inviting Beta Users",{"title":179,"searchDepth":180,"depth":180,"links":181},"",2,[182],{"id":141,"depth":183,"text":142},3,"launch","2026-02-10","Pre-launch security checklist for Next.js applications. 18 essential items covering API routes, middleware, environment variables, and deployment security.",false,"md",[190,191],{"question":122,"answer":125},{"question":128,"answer":131},"orange",null,{},true,"Pre-launch security checklist for Next.js apps. 18 essential items before deploying.","/blog/launch/nextjs-app","[object Object]","Article",{"title":5,"description":186},{"loc":197},"blog/launch/nextjs-app",[],"summary_large_image","WykdjRhLfEZ--6yqqhWpPh1z11ue09xuixRaq0ap-Sk",1775843920311]