Built with Next.js?

Security scanning for Next.js apps

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Free scan. No account required.

Common issues

Top vulnerabilities in Next.js apps

These are the three most common security issues we find when scanning Next.js projects.

Missing security headers (CSP, HSTS, X-Frame-Options) on all routes

Exposed .next directory or source maps leaking server-side code

CORS headers allowing any origin to access your API routes

How it works

60-second security audit

01

Paste your URL

Enter your Next.js app URL. We handle the rest.

02

Get your score

10 security modules run in parallel against your live site.

03

Fix with AI prompts

Copy the fix prompts into your AI tool and ship secure.

10 security modules, one scan

Every scan checks security headers, SSL/TLS, exposed files, JavaScript secrets, Supabase & Firebase configs, CORS, cookies, email security, and tech detection.

See all security checks

Fix guides for Next.js

Common Next.js security fixes

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Read more

Exposed Next.js build files

Build artifacts like .next directory, BUILD_ID, or server-side bundles should not be publicly reachable. Here is how to lock them down.

Read more

Exposed source maps

Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.

Read more

CORS allows all origins

An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.

Read more

Missing X-Frame-Options

Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.

Read more

FAQ

Next.js security FAQ

What is the fastest way to add security headers to Next.js?
Add a `headers()` export in `next.config.js` that applies CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to every route. It takes about 10 lines of code.
Do Next.js 15 apps need CSP or does it come for free?
Not automatic. Next.js supports nonce-based CSP via middleware but you must opt in. Shipping a baseline CSP via `headers()` is the fastest path.

Scan your Next.js app now

Find security issues before your users do. It takes 60 seconds and your first scan is free.