How do I secure a Next.js app?

Short answer

Upgrade Next.js past 15.2.3 / 14.2.25 (fixes CVE-2025-29927), enable HTTPS-only + security headers via next.config.mjs, verify auth in every server action, audit every NEXT_PUBLIC_ env var, and run a sandbox-verified scanner on every PR. The full checklist is at Securie /checklist/next-js-security-checklist.

The realistic Next.js security checklist:

**Versions + patches** - Next.js 15.2.3+ or 14.2.25+ (fixes CVE-2025-29927 middleware bypass) - No high-severity CVEs in npm audit

**Routing + middleware** - middleware.ts matcher covers every protected route - Server actions verify session at entry - Dynamic /[id] routes check ownership (BOLA defense)

**Env + secrets** - No secret prefixed with NEXT_PUBLIC_ - Secrets in Vercel env vars or external secrets manager - .env.local in .gitignore

**Headers + CSP** - HSTS, X-Frame-Options, X-Content-Type-Options via next.config.mjs - Content-Security-Policy with nonces via middleware

**Data** - Parameterized SQL queries always - Input validation with Zod - Rate limits on paid-API routes

**Continuous** - Pre-deploy security scan on every release - Dependency updates automated (Dependabot / Renovate)

People also ask

Is my Next.js app vulnerable to CVE-2025-29927?
If your Next.js version is below 15.2.3 / 14.2.25 / 13.5.9 / 12.3.5, yes. Vercel-hosted apps are patched automatically;