Free Next.js Security Scanner
Scan your Next.js application for middleware bypasses, exposed API routes, unsafe dangerouslySetInnerHTML usage, missing CSP, and other framework-specific vulnerabilities.
Scan My Next.js App — FreeNo signup · No credit card · Results in 30 seconds
What the scanner checks
Middleware authorization
Tests if your middleware properly enforces auth on protected routes, including Edge runtime middleware. Detects the CVE-2025-29927 bypass pattern.
Exposed API routes
Scans /api/* endpoints for missing authentication, rate limiting, CORS misconfiguration, and request size limits.
Server Actions security
Checks for unvalidated Server Action inputs, missing CSRF protection in forms, and exposed Server Component props.
Content-Security-Policy for App Router
Validates CSP nonces for inline scripts in Server Components and detects unsafe-inline / unsafe-eval that weakens protection.
Environment variable leaks
Detects NEXT_PUBLIC_ prefixed secrets accidentally exposed to the client bundle and .env files left in the webroot.
Build artifact exposure
Scans for exposed .next/, source maps, .env.production, and debug endpoints that leak information about your stack.
Next.js Has a Unique Security Surface
Next.js blends server and client code in ways that break traditional security assumptions. Middleware runs at the edge, Server Actions execute on the server from client-side calls, and environment variables with the NEXT_PUBLIC_ prefix ship to every browser. Each boundary is a potential vulnerability.
CVE-2025-29927 showed the stakes: a middleware-bypass flaw affected every Next.js deployment that relied on middleware for authentication. Our scanner tests framework-specific attack patterns — middleware headers, API route exposure, and CSP nonce handling — that generic scanners miss.
Frequently Asked Questions
Is my Next.js app vulnerable to CVE-2025-29927?
CVE-2025-29927 is a middleware bypass affecting Next.js versions before 14.2.25 and 15.2.3. Attackers could skip middleware authorization by sending a specific header. Upgrade Next.js to the patched version immediately and our scanner can verify the fix is deployed.
How do I secure Next.js API routes?
Add authentication to every route handler, enforce rate limits, validate input with Zod or similar, set proper CORS headers, and use the matcher config in middleware to apply auth checks consistently. Our scanner tests each of these.
Should I use CSP with Next.js App Router?
Yes. Use CSP nonces with Server Components — Next.js supports generating per-request nonces in middleware. Avoid unsafe-inline entirely. Configure CSP in middleware.ts and reference the nonce in your Script components.
What's the risk of NEXT_PUBLIC_ environment variables?
Any variable prefixed with NEXT_PUBLIC_ is inlined into the client JavaScript bundle at build time. If you accidentally put a secret there (API keys, service credentials), it becomes visible to every visitor. Only use NEXT_PUBLIC_ for truly public values.
Can the scanner detect issues in Server Actions?
The scanner tests the HTTP layer — it identifies exposed action endpoints, missing CSRF tokens, and insecure response patterns. For deep Server Action security, also run static analysis on your codebase with tools like Semgrep.
Ship your Next.js app with confidence
Free, instant, no signup. Detailed vulnerability report with fix instructions.
Run Free Next.js Scan