Information Disclosure via X-Nextjs-Page Header
Description
The 'X-Nextjs-Page' header reveals which specific Next.js page is being rendered for a request. By leaking this header, attackers can learn about the application’s internal directory or routing structure, potentially discovering hidden or unlinked pages. Such insights might enable them to craft more targeted attacks, exploit route-specific vulnerabilities, or manipulate rendering logic. Ultimately, revealing the Next.js page path in the response can increase the overall attack surface by guiding adversaries directly to sensitive or lesser-known parts of the application.
Remediation
Remove or mask the 'X-Nextjs-Page' header in production deployments. Adjust Next.js server configurations, custom server code, or build settings so that page details are not exposed. If reverse proxies, CDNs, or load balancers are in use, configure them to strip or rewrite this header. Keep your Next.js framework and related dependencies up to date with the latest security patches. Employ a Web Application Firewall (WAF) or intrusion detection system to identify attempts that exploit route-specific weaknesses. Regularly audit your server responses and logs to ensure no internal directory or rendering details are leaked inadvertently.
References
https://nextjs.org/docs/routing/introductionhttps://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4