The hook
Next.js makes it easy to add headers in `next.config.js`, but the source pattern decides which routes get them. A rule that protects the homepage can still miss an API route, dashboard path, or nested page.
How it works
Some Next.js authorization boundaries depend on internal request handling that should not be controllable by outside clients. The risk is unauthorized access to routes that were assumed to be protected.
The blast radius
Header drift weakens defense-in-depth exactly where real app behavior lives: dashboards, API routes, and nested pages. Missing CSP leaves XSS with fewer guardrails, missing frame protection invites clickjacking, and framework banners give attackers cleaner fingerprinting.
// what fixvibe checks
What FixVibe checks
FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Set `poweredByHeader: false` and use broad `/:path*` header coverage for site-wide protections, with explicit exceptions only where needed. Verify root, nested, and API routes after deploy.