Security Checklist for Next.js Apps Built with AI

Next.js is the most popular framework for AI-generated web apps. Its hybrid server/client architecture creates unique security boundaries that AI tools frequently get wrong — especially around server actions, API routes, and the critical NEXT_PUBLIC_ prefix.

Why this matters for AI-built apps

AI coding tools generate Next.js apps that run perfectly in development but ship with server-side secrets leaked to the client bundle, API routes without authentication, and middleware that never actually protects anything. These patterns are invisible during testing but exploitable in production.

15-point security checklist

  1. 1.

    No secrets in NEXT_PUBLIC_ variables

    critical

    Check that no server-side API keys, database URLs, or service role keys use the NEXT_PUBLIC_ prefix. This prefix bundles values into client-side JavaScript, making them visible to anyone who opens your app. Common violations: NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY, NEXT_PUBLIC_STRIPE_SECRET_KEY, NEXT_PUBLIC_DATABASE_URL.

  2. 2.

    API routes require authentication

    critical

    Every file in app/api/ must verify the user session before processing requests. AI tools often generate API endpoints that accept any request without checking who is calling them. Test by calling each endpoint without a session cookie — it should return 401.

  3. 3.

    Middleware actually runs on protected routes

    high

    Next.js middleware in middleware.ts must have a correct matcher config. A common AI pattern is generating middleware that exists but has a matcher that misses critical routes, or no matcher at all (defaulting to all routes including static assets). Verify your matcher covers /api/, /dashboard/, and all authenticated paths.

  4. 4.

    Server Actions validate input

    high

    Server Actions (use server) receive raw client input. AI-generated actions often skip input validation entirely, trusting whatever the form sends. Every server action should validate input with Zod or similar before processing. Never trust form data directly.

  5. 5.

    No sensitive data in client components

    high

    React Server Components can safely access databases and secrets. But AI tools sometimes fetch sensitive data in server components and then pass it as props to client components, where it becomes visible in the page source. Audit all props passed from server to client components.

  6. 6.

    CORS configured for production origin

    high

    Check next.config.ts headers and any API route CORS logic. AI tools default to Access-Control-Allow-Origin: * which allows any website to make authenticated requests to your API. Set this to your specific production domain.

  7. 7.

    Security headers present

    medium

    Verify your next.config.ts or middleware sets: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security (HSTS), Referrer-Policy: strict-origin-when-cross-origin, and a Content-Security-Policy. AI tools almost never add these.

  8. 8.

    No source maps in production

    medium

    Check that productionBrowserSourceMaps is not set to true in next.config.ts. Source maps expose your entire source code to anyone using browser dev tools. AI tools sometimes enable this for debugging and forget to disable it.

  9. 9.

    Error pages don't leak internals

    medium

    Custom error pages (error.tsx, not-found.tsx) should not display stack traces, file paths, or database errors. Next.js hides these in production by default, but AI-generated custom error handlers often catch and display the raw error.

  10. 10.

    Rate limiting on auth endpoints

    high

    Login, signup, password reset, and magic link endpoints must have rate limiting. Without it, attackers can brute force credentials or flood your email provider. AI tools never add rate limiting to auth flows.

  11. 11.

    Cookies set with secure defaults

    high

    Session cookies must use httpOnly: true, secure: true (HTTPS only), sameSite: "lax" or "strict". AI-generated cookie settings often omit these flags, making sessions vulnerable to XSS theft and CSRF attacks.

  12. 12.

    Image optimization doesn't allow arbitrary domains

    low

    In next.config.ts, images.remotePatterns should whitelist specific domains. A wildcard pattern allows attackers to use your server as an image proxy, potentially for SSRF attacks or bandwidth abuse.

  13. 13.

    Environment variables present in production

    medium

    All required env vars must be set in your production environment. AI tools configure .env.local for development but the production deployment might have missing variables, causing silent failures or fallback to insecure defaults.

  14. 14.

    poweredByHeader disabled

    low

    Set poweredByHeader: false in next.config.ts. The default X-Powered-By: Next.js header gives attackers information about your stack for targeted exploits.

  15. 15.

    No hardcoded secrets in source code

    critical

    Search your codebase for hardcoded API keys, JWT secrets, database passwords, and encryption keys. AI tools often put placeholder secrets like "your-secret-key" or "sk_test_..." directly in the code rather than referencing environment variables.

Don't check manually — automate it

LaunchShield runs all these checks (and more) automatically on your Next.js codebase. Connect your repo, get a verdict in minutes.

Scan your Next.js app now

Your AI can build it. LaunchShield tells you if it's safe to ship.

Get an independent security verdict with a professional report — not a chat transcript. Under 2 minutes, no credit card required.

Start your first scan — free

Read-only access · No source code stored · Revoke anytime