Information Disclosure via X-Nextjs-Redirect Header

Description

The 'X-Nextjs-Redirect' header indicates the target path or route that Next.js uses when performing a redirect. By exposing this header, attackers can gain insight into internal routing logic, potentially discovering private or unlinked endpoints. This could allow them to craft more targeted attacks or manipulate redirection flows—such as hijacking sessions, bypassing intended user journeys, or injecting malicious parameters. Ultimately, leaking redirect information increases the attack surface by revealing backend route structures and facilitating more strategic attacks against the application’s navigation and access controls.

Remediation

Remove or mask the 'X-Nextjs-Redirect' header in production by configuring your Next.js server, custom server code, or build settings to avoid exposing redirection details. If you use reverse proxies, CDNs, or load balancers, ensure they do not preserve or re-inject this header. Keep your Next.js framework and dependencies updated with the latest security patches, and routinely check for vulnerabilities in any plugins or routing logic that might leak sensitive route information. Employ a Web Application Firewall (WAF) or intrusion detection system to identify unusual redirection patterns or attempts at route manipulation. Regularly review server logs and responses to confirm that no internal routing details are inadvertently exposed.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification