FixVibe
Covered by FixVibemedium

Next.js Security Header Misconfiguration in next.config.js

Next.js applications using next.config.js for header management are susceptible to security gaps if path-matching patterns are imprecise. This research explores how wildcard and regex misconfigurations lead to missing security headers on sensitive routes and how to harden the configuration.

CWE-1021CWE-200

Impact

Missing security headers can be exploited to perform clickjacking, cross-site scripting (XSS), or gather information about the server environment [S2]. When headers such as Content-Security-Policy (CSP) or X-Frame-Options are inconsistently applied across routes, attackers can target specific unprotected paths to bypass site-wide security controls [S2].

Root Cause

Next.js allows developers to configure response headers in next.config.js using the headers property [S2]. This configuration uses path matching that supports wildcards and regular expressions [S2]. Security vulnerabilities typically arise from:

  • Incomplete Path Coverage: Wildcard patterns (e.g., /path*) may not cover all intended subroutes, leaving nested pages without security headers [S2].
  • Information Disclosure: By default, Next.js may include the X-Powered-By header, which reveals the framework version unless explicitly disabled via the poweredByHeader configuration [S2].
  • CORS Misconfiguration: Improperly defined Access-Control-Allow-Origin headers within the headers array can allow unauthorized cross-origin access to sensitive data [S2].

Concrete Fixes

  • Audit Path Patterns: Ensure all source patterns in next.config.js use appropriate wildcards (e.g., /:path*) to apply headers globally where necessary [S2].
  • Disable Fingerprinting: Set poweredByHeader: false in next.config.js to prevent the X-Powered-By header from being sent [S2].
  • Restrict CORS: Set Access-Control-Allow-Origin to specific trusted domains rather than wildcards in the headers configuration [S2].

How FixVibe tests for it

FixVibe could perform an active gated probe by crawling the application and comparing the security headers of various routes. By analyzing the X-Powered-By header and the consistency of Content-Security-Policy across different path depths, FixVibe can identify configuration gaps in next.config.js.