Next.js security checklist — 2026 production ready

The full Next.js security checklist for 2026. Middleware, server actions, env vars, headers, dependencies. Works for 14 and 15.

For: Anyone shipping a Next.js app to production

Versions + patches

Next.js 15.2.3+ or 14.2.25+ (fixes CVE-2025-29927)critical
No high-severity CVEs in npm audit

Routing + middleware

middleware.ts matcher covers every protected route
Middleware auth checks assert, not silently return
Server actions verify session at entry
Dynamic routes check ownership

Env + secrets

No secret prefixed with NEXT_PUBLIC_critical
Secrets stored in Vercel / external secrets manager
.env.local in .gitignore

Headers + CSP

next.config.mjs sets HSTS, X-Frame-Options, X-Content-Type-Optionscritical
CSP configured (nonce-based preferred)
Referrer-Policy: strict-origin-when-cross-origin

Data

SQL queries parameterized
User input validated with Zod or similar
Rate limits on paid-API routes

Next.js security checklist — 2026 production ready · Securie