I use `output: 'export'`. Is this relevant?

Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Medium severity · Next.js

Exposed Next.js build files on Next.js

Your deployed app exposes internal Next.js build files — usually `/.next/` contents, BUILD_ID, or `server/` bundles. In a correctly-configured Next.js deployment, only the `public/` directory and statically-exported routes are reachable. When the whole build output is served as-is, attackers get to read your server-side code, including authentication logic. Fix it by using the Next.js adapter on Vercel or the standalone output and not serving the whole build directory.

The fix for Next.js

Self-hosted Next.js

Use `next start` or a proper server adapter, not a static file server pointed at your repo. If you must use a static host, use `output: export` and only deploy the `out/` directory.

Why it matters

Next.js server bundles often contain auth middleware, API keys baked into build time, and internal route logic. Having them public is close to a source-code leak — it is what source maps would expose, but without needing to reconstruct.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

My site has /.next/BUILD_ID and other build files reachable from the public internet. Diagnose my deployment setup — am I using `next start`, a static export, or serving the whole build directory? Fix the root cause and confirm that /.next/ returns 404 after redeploying.

FAQ

Frequently asked questions

I use `output: 'export'`. Is this relevant?: Less so — static exports produce an `out/` directory without the `.next/` server files. But make sure you deploy `out/`, not the repo root.

Related fix guides

Fix these too

Exposed source maps

Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Free tools

Spot-check this

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.