I use `output: 'export'`. Is this relevant?

Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Medium severity

How to fix exposed Next.js config or build files

Your deployed app exposes internal Next.js build files — usually `/.next/` contents, BUILD_ID, or `server/` bundles. In a correctly-configured Next.js deployment, only the `public/` directory and statically-exported routes are reachable. When the whole build output is served as-is, attackers get to read your server-side code, including authentication logic. Fix it by using the Next.js adapter on Vercel or the standalone output and not serving the whole build directory.

Why it matters

Next.js server bundles often contain auth middleware, API keys baked into build time, and internal route logic. Having them public is close to a source-code leak — it is what source maps would expose, but without needing to reconstruct.

How to check

01Try `https://your-site.com/.next/BUILD_ID` — a text response means the folder is public.
02Try `https://your-site.com/.next/server/pages/api/*.js`.
03Any 200 on a `.next/` path is a bug.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Vercel

Vercel handles this automatically via the Next.js adapter. If yours is exposed, you are probably deploying as a static site when you should be using the Next.js preset, or you manually copied `.next` into `public/`.

Self-hosted Next.js

Use `next start` or a proper server adapter, not a static file server pointed at your repo. If you must use a static host, use `output: export` and only deploy the `out/` directory.

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My site has /.next/BUILD_ID and other build files reachable from the public internet. Diagnose my deployment setup — am I using `next start`, a static export, or serving the whole build directory? Fix the root cause and confirm that /.next/ returns 404 after redeploying.

FAQ

Frequently asked questions

I use `output: 'export'`. Is this relevant?: Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Related fix guides

Fix these too

Exposed source maps

Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Platform guides

Building on these platforms?

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.