API Security with NextJS Rewrites and Proxy

Introduction

NextJS Proxy and Rewrites are a powerful duo that helps manage and route requests flexibly.

  • NextJS Rewrites act as an internal proxy, essentially mapping one URL path to another. Its biggest advantage is hiding the actual URL of the underlying core server, while transforming requests from Cross-Origin to Same-Origin on the client interface.
  • NextJS Proxy allows you to execute code before a request is completed. As a result, you can easily intervene to implement features like Authentication, authorization, or centralized Rate Limiting, reducing the load on the core API server and maximizing performance. Previously, this function was called middleware, the name change to Proxy aims to confirm that this is an ultra-lightweight Gateway layer:
    • It should only be used for tasks such as Routing, Rewrite, Redirect and managing Header/Cookie.
    • NextJS encourages moving Granular Authorization logic or complex session management into Server Components or Server Actions to take advantage of the stable NodeJS environment and avoid slowing down the response speed of the Proxy.

This is the execution order of how a request passes through these layers, these configurations follow the Server-side routing mechanism, so they apply to both page navigation and API requests.

  • headers: used to set Response Headers (Headers returned from the NextJS Server to the browser). When the browser accesses a URL that matches the source, NextJS will send these headers along, it does not automatically attach headers to requests called from the Client (such as fetch or axios) to the Server, or for internal requests when NextJS renders the page.
    • Main purpose: Security configuration (CORS, Content-Security-Policy, X-Frame-Options) or Cache-Control.
    • Example: You want every web page returned to the user to have the X-Custom-Header.
  • redirects: applied to both Page and API, as long as the path matches the source configuration you set.
    • For Page (User Interface) This is the most common case. When a user accesses an old url, NextJS will respond to that request with a response header field location having the value of the new url, then the browser will automatically redirect to that new url.
    • For API (Route Handlers) redirects also work with API requests (fetch, axios). Behavior: When calling fetch('/api/old-data'), NextJS returns a redirect response. Most HTTP libraries (such as fetch or axios) will automatically follow that redirect path to get data from the new URL. Note: Unlike rewrites (running silently), redirects will make the Client perform a second request to the new URL.
  • proxy: can handle intermediate code for security issues such as JWT, Cookie, Rate limit before sending the actual request to the core service. It can return an error, redirect or allow it to continue to the layers below.
  • beforeFiles: If matched here, the request will be redirected immediately (and return to Proxy with the new URL). Often used for system-wide maintenance pages.
  • Filesystem Check: NextJS checks if you have any physical files that match (such as page.tsx or route.ts in the app router).
  • afterFiles: If it does not find a file, this configuration is checked. Often used as an API Proxy, only calling the Backend when the Frontend does not have that route.
  • Dynamic Routes: Checks dynamic routes like [id].
  • fallback: If all the above steps do not match, this configuration runs. Used when you are in the process of deploying a new system and want to redirect pages under development back to the Legacy System.

Detail

First, please update the next.config.ts file.

import type {NextConfig} from 'next'

const nextConfig: NextConfig = {
  async headers() {
    return [
      {
        source: '/header/:path*',
        headers: [
          {key: 'X-Custom-Header', value: 'custom header value'},
        ],
      },
    ]
  },
  async redirects() {
    return [
      {
        source: '/api/old',
        destination: '/api/new',
        permanent: false,
      },
      {
        source: '/old-page',
        destination: '/new-page',
        permanent: true,
      },
    ]
  },
  async rewrites() {
    return {
      beforeFiles: [
        {
          source: '/before-files/:path*',
          destination: '/api/before-files/:path*',
        },
        {
          source: '/before-files/has-header/:path*',
          has: [{type: 'header', key: 'x-header-field', value: 'secret-value'}],
          destination: '/maintenance',
        },
      ],
      afterFiles: [
        {
          source: '/after-files/:path*',
          destination: '/api/after-files/:path*',
        },
      ],
      fallback: [
        {
          source: '/:path*',
          destination: '/legacy-system/:path*',
        },
      ],
    }
  },
}

export default nextConfig

  • headers: add fields to the response header for responses from the NextJS server.

  • redirects: if matched with the source, it will redirect directly from here instead of checking subsequent layers.

    • permanent: false, status code 307 Temporary Redirect.
    • permanent: true, status code 308 Permanent Redirect.

  • beforeFiles: runs before checking files in the app router.

  • afterFiles: runs only if there is no page.tsx or route.ts file.

  • fallback: the final layer when no source matches.

Note that the default config in afterFiles, if used independently, can be written simply like this:

import type {NextConfig} from 'next'

const nextConfig: NextConfig = {
  async rewrites() {
    return [
      {
        source: '/after-files/:path*',
        destination: '/api/after-files/:path*',
      },
    ]
  },
}

export default nextConfig

The proxy.ts file must be unique and located at the same level as the app folder.

import {NextResponse, type NextRequest} from 'next/server'

export function proxy(request: NextRequest) {
  const {pathname} = request.nextUrl

  if (pathname.includes('error')) {
    return NextResponse.json({error: 'Forbidden'}, {status: 403})
  }

  if (pathname.includes('redirect')) {
    return NextResponse.redirect(new URL('/new-url', request.url), 307)
  }

  if (pathname.includes('next')) {
    const headers = new Headers(request.headers)
    headers.set('x-header-field', 'secret-value')

    return NextResponse.next({request: {headers}})
  }

  return NextResponse.next()
}

export const config = {
  matcher: ['/api/:path*'],
}

In proxy, logic can be applied to handle complex cases such as:

  • NextResponse.json: responds to the client.
  • NextResponse.redirect: redirects to another page.
  • NextResponse.next: you can pass additional headers after customizing, only when calling this function does it continue down to rewrites beforeFiles.
  • Please note that only the APIs matching this configuration will be processed within the proxy.

The app/headers/hook.ts file is just a hook to call the API.

import {useMutation} from '@tanstack/react-query'
import {message} from 'antd'

export const useCallApi = () => {
  return useMutation({
    mutationFn: async (endpoint: string) => {
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
      })

      if (!response.ok) {
        const errorData = await response.json().catch(() => ({}))
        throw new Error(
          errorData.message ||
            `Error ${response.status}: ${response.statusText}`
        )
      }
      return response.json()
    },
    onSuccess: data => {
      message.success('Request successful')
    },
    onError: (error: Error) => {
      message.error(error.message)
    },
  })
}

The app/headers/page.tsx file is used for you to test api call and page navigation cases. Note that because there are many examples, I will not create all full pages, please create your own pages to check according to your needs.

'use client'

import {
  ArrowRightOutlined,
  BugOutlined,
  FastForwardOutlined,
  FileSearchOutlined,
  GlobalOutlined,
  SendOutlined,
  StepForwardOutlined,
  ToolOutlined,
} from '@ant-design/icons'
import {Button, Card, Typography} from 'antd'
import {useRouter} from 'next/navigation'
import {useCallApi} from './hook'

const {Text} = Typography

const apiButtons = [
  {
    label: 'Call API',
    endpoint: '/api/old',
    icon: <SendOutlined />,
    color: 'bg-blue-600',
  },
  {
    label: 'Call Error',
    endpoint: '/api/error',
    icon: <BugOutlined />,
    color: 'bg-red-600',
  },
  {
    label: 'Call Redirect',
    endpoint: '/api/redirect',
    icon: <ArrowRightOutlined />,
    color: 'bg-orange-500',
  },
  {
    label: 'Call Next',
    endpoint: '/api/next',
    icon: <FastForwardOutlined />,
    color: 'bg-green-600',
  },
]

const navButtons = [
  {
    label: 'Go Before Files',
    path: '/before-files/test',
    icon: <GlobalOutlined />,
  },
  {
    label: 'Go Before (Has Header)',
    path: '/api/next/before-files-has',
    icon: <ToolOutlined />,
    info: 'Requires x-maintenance header',
  },
  {
    label: 'Go After Files',
    path: '/after-file/test',
    icon: <FileSearchOutlined />,
  },
  {
    label: 'Go Fallback',
    path: '/any-random-path',
    icon: <StepForwardOutlined />,
  },
]

export default function HeadersPage() {
  const router = useRouter()
  const {mutate, isPending, data, error, variables} = useCallApi()

  return (
    <div className="flex flex-col items-center justify-center min-h-[600px] p-8 bg-slate-50">
      <Card
        title="Testing Panel"
        className="w-full max-w-md shadow-lg rounded-2xl"
      >
        <div className="flex flex-col gap-3">
          <Text
            strong
            className="text-gray-500 text-[11px] uppercase tracking-wider"
          >
            API Requests
          </Text>
          {apiButtons.map(btn => (
            <Button
              key={btn.endpoint}
              type="primary"
              icon={btn.icon}
              loading={isPending && variables === btn.endpoint}
              disabled={isPending}
              onClick={() => mutate(btn.endpoint)}
              className={`h-10 ${btn.color} hover:opacity-90 rounded-lg font-medium shadow-sm transition-all flex items-center justify-center`}
              block
            >
              {btn.label}
            </Button>
          ))}

          <Text
            strong
            className="text-gray-500 text-[11px] uppercase tracking-wider"
          >
            Page Routing
          </Text>
          {navButtons.map(nav => (
            <Button
              key={nav.path}
              type="default"
              icon={nav.icon}
              onClick={() => router.push(nav.path)}
              className="h-10 border-gray-300 hover:border-blue-500 hover:text-blue-500 rounded-lg font-medium flex items-center justify-center text-gray-600"
              block
            >
              {nav.label}
            </Button>
          ))}

          {(data || error) && <hr className="my-4 border-gray-100" />}

          {data && (
            <div className="p-4 bg-green-50 border border-green-200 rounded-xl">
              <Text type="success" strong className="block mb-1 text-xs">
                Success ({variables}):
              </Text>
              <pre className="text-[10px] text-green-800 overflow-auto max-h-40 font-mono">
                {JSON.stringify(data, null, 2)}
              </pre>
            </div>
          )}

          {error && (
            <div className="p-4 bg-red-50 border border-red-200 rounded-xl">
              <Text type="danger" strong className="text-xs">
                Failed ({variables}):
              </Text>
              <p className="text-[11px] text-red-600 mt-1 font-mono">
                {error.message}
              </p>
            </div>
          )}
        </div>
      </Card>
    </div>
  )
}

Check the results as follows


This is custom header


This is page redirect and response data in proxy


This is page redirect with status code


Note that when using a redirect, it will trigger an additional request to navigate directly to the new page, whereas with rewrites, you will still see the URL of the old page but the content displayed is from the new page after the redirection.

Happy coding!

See more articles here.

Comments

Post a Comment

Popular posts from this blog

All Practice Series

Image
Introduction This is a comprehensive page about the technologies I have shared in series format. You can view brief introductions and links to directly access each series you are interested in. In the field of software development, to deploy a product from the initial idea to its release, the standard process typically involves several stages as follows: Database : Designing and implementing the database according to business requirements, storing data during the system's operation. Backend : Handling the main logic of the system, communicating with the database and services. Frontend : Building the interface for users to interact with the system, which could be a desktop, mobile, or web application. This usually includes implementing UI/UX and integrating APIs from the backend. DevOps : Deploying the system for use, which can be done on a server or in the cloud. Testing : Applying testing methods to ensure the product meets the standards for release. Of course, these are just stan...
Read more

Kubernetes Deployment for Zero Downtime

Image
Introduction In Kubernetes (K8s) , a Pod is the smallest resource unit used to run one or more containers during deployment. There are several ways to create a Pod : you can create it directly, use a ReplicationController , or a ReplicaSet . However, the most commonly used resource for managing Pods is the Deployment . When you use a Deployment , it actually creates a ReplicaSet to manage the Pods but comes with many additional benefits that support the deployment process. Some Advantages of Deployment : Ensures Pod Availability : It guarantees that the specified number of Pods are always running according to the configuration, automatically deploying additional Pods if any failures occur. Supports Restart and Undo Deployment : Allows you to easily restart or roll back to previous versions of your Deployment . Zero Downtime Deployment : When updating configurations or scaling Deployments , zero downtime is crucial. This means that new Pods are created while the old Pods are stil...
Read more

Deploying a NodeJS Server on Google Kubernetes Engine

Image
Introduction to GKE Google Kubernetes Engine (GKE) is a managed Kubernetes service provided by Google Cloud Platform , facilitating simple and efficient deployment of Docker images. We only need to provide some configuration for the number of nodes, machine types, and replicas to use. Some Concepts Cluster A Cluster is a collection of Nodes where Kubernetes can deploy applications. A cluster includes at least one Master Node and multiple Worker Nodes . The Master Node is used to manage the Worker Nodes . Node A Node is a server in the Kubernetes Cluster. Nodes can be physical servers or virtual machines. Each Node runs  Kubernetes , which is responsible for communication between the Master Node and Worker Node , as well as managing Pods and containers running on it. Pod A Pod is the smallest deployable unit in Kubernetes . Each Pod contains one or more containers, typically Docker containers. Containers in the same Pod share a network namespace, meaning they have the ...
Read more

Setting up Kubernetes Dashboard with Kind

Image
Introduction In a previous article, I guided you through using Helm to deploy on Google Kubernetes Engine . However, if you want to cut down costs by using Kubernetes in your local environment instead of relying on a cloud provider during development, then Kind is your go-to. There are several tools to help set up Kubernetes locally, such as MiniKube , Kind , K3S , KubeAdm , and more. Each tool has its own pros and cons. In this article, I'll walk you through using Kind to quickly set up a Kubernetes cluster on Docker . Kind stands out for its compactness, making Kubernetes start up quickly, being user-friendly, and supporting the latest Kubernetes versions. Working with Kind Firstly, follow the instructions here to install Kind according to your operating system. If you're using Ubuntu , execute the command: [ $( uname -m ) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64 chmod +x ./kind sudo mv ./kind /usr/local/bin/ki...
Read more

Monitoring with cAdvisor, Prometheus and Grafana on Docker

Image
Introduction Monitoring a system is crucial after deploying a product to a production environment. Keeping an eye on system metrics like logs , CPU , RAM , disks , etc, helps identify the system's status, performance issues, and provides timely solutions to ensure stable operations. While cloud providers like Google , Amazon , or Azure offer built-in monitoring systems, if your company needs to manage multiple applications/systems/containers and desires a centralized monitoring system for easier management, using cAdvisor , Prometheus , and Grafana is a sensible choice. These three popular open-source tools are widely used by DevOps teams, especially for monitoring container applications. cAdvisor Developed by Google , cAdvisor is an open-source project used to analyze resource usage, performance, and other metrics from container applications, providing an overview of all running containers. Find more details here Prometheus Prometheus is a toolkit for system monitoring and a...
Read more

Using Kafka with Docker and NodeJS

Image
Introduction to Kafka Kafka is an open-source , distributed messaging system that functions on a publish/subscribe model. It is widely used by numerous large companies for high-performance , real-time data streaming. Developed by LinkedIn since 2011, Kafka has grown into the most popular distributed streaming platform. It can handle vast amounts of records with high efficiency. Advantages of Kafka Open-source : Freely available and continuously improved by a large community. High-throughput, high-frequency : Capable of processing large volumes of data across topics continuously. Automatic message storage : Allows for easy message retrieval and verification. Large user community : Offers extensive support and shared resources. Basic Concepts If you're new to Kafka and Message Queues, here are some key concepts to understand: Producer : Creates and sends data to the Kafka server, where data is sent as messages in byte array format. Consumer : One or more consumers subscribe to...
Read more

Sitemap

Image
A page aggregator designed for easy reference and search, compiling all blog posts for convenient access. Loading all posts...
Read more

React Practice Series

Image
Introduction React is a JavaScript library created by Facebook , often referred to as the most popular frontend framework today. This page aims to gather articles related to ReactJS , covering topics such as theory, features, and commonly used packages in the process of building ReactJS applications. I will update this series with more articles in the future as new ideas for content come up. The articles are arranged in increasing order of difficulty, so if you have time, it's recommended to start from the beginning of the series. This will ensure you grasp the essential knowledge and information needed for the subsequent articles. Here are some key topics in the series that you need to explore to effectively use ReactJS : Fundamental : React Hook, React Reconciliation. State management : redux, mobx, recoil, zustand, xstate, etc. Middleware libraries : redux-thunk, redux-saga, redux-observable, etc. Popular packages : tasnstack query, immer, styled-components, etc. Rendering te...
Read more

Practicing with Google Cloud Platform - Google Kubernetes Engine to deploy nginx

Image
Introduction This article provides simple step-by-step instructions for those who are new to Google Cloud Platform (GCP) and Google Kubernetes Engine (GKE) . I'll guide you through using  GKE  to create clusters and deploy nginx . The instructions below will primarily use gcloud  and kubectl  to initialize the cluster, which is more convenient than manual management on the Google Cloud interface. Prerequisites First, you need to prepare the following: Have a GCP account with permission to use Cloud services. If you're new, you'll get a $300 free trial to use for 90 days . Create a new GCP project. Enable Compute Engine and Kubernetes Engine services. Install Google Cloud SDK and kubectl For this installation step, refer to the GCP documentation for instructions tailored to your operating system. Once installed, execute the following commands to check if gcloud  and kubectl  are installed: gcloud version kubectl version If you see the version resul...
Read more

Kubernetes Practice Series

Image
Introduction Kubernetes (often abbreviated as K8s ) is an open-source system designed to automate the deployment, scaling, and management of containerized applications. This page serves as a collection of articles related to Kubernetes (K8s) , including theoretical concepts and practical guides on using Kubernetes to set up essential tools for the software development process. I will continue to update this series with new articles as ideas come to mind, to ensure the series becomes more comprehensive. The articles are arranged in increasing order of difficulty to make it easier for you to follow. If you have time, it's recommended that you start from the beginning of the series to acquire the necessary knowledge and information that will prepare you for the subsequent articles. Key Topics Covered in This Series Basic Knowledge : Fundamental concepts, common commands, etc. Resources : Pod, Deployment, Service, StatefulSet, Ingress, etc. Pod Autoscaler : Horizontal and Vertical sc...
Read more