Medium severity

How to fix exposed Next.js config or build files

Your deployed app exposes internal Next.js build files — usually `/.next/` contents, BUILD_ID, or `server/` bundles. In a correctly-configured Next.js deployment, only the `public/` directory and statically-exported routes are reachable. When the whole build output is served as-is, attackers get to read your server-side code, including authentication logic. Fix it by using the Next.js adapter on Vercel or the standalone output and not serving the whole build directory.

Why it matters

Next.js server bundles often contain auth middleware, API keys baked into build time, and internal route logic. Having them public is close to a source-code leak — it is what source maps would expose, but without needing to reconstruct.

How to check

  1. 01Try `https://your-site.com/.next/BUILD_ID` — a text response means the folder is public.
  2. 02Try `https://your-site.com/.next/server/pages/api/*.js`.
  3. 03Any 200 on a `.next/` path is a bug.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Vercel

Vercel handles this automatically via the Next.js adapter. If yours is exposed, you are probably deploying as a static site when you should be using the Next.js preset, or you manually copied `.next` into `public/`.

Self-hosted Next.js

Use `next start` or a proper server adapter, not a static file server pointed at your repo. If you must use a static host, use `output: export` and only deploy the `out/` directory.

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My site has /.next/BUILD_ID and other build files reachable from the public internet. Diagnose my deployment setup — am I using `next start`, a static export, or serving the whole build directory? Fix the root cause and confirm that /.next/ returns 404 after redeploying.

FAQ

Frequently asked questions

I use `output: 'export'`. Is this relevant?
Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.