2

Is it safe that the NextJs server returns chunks via a direct link, even when the user is not logged in?

For example, I deployed the application with iron session like this, logged in and received a direct link to the chunk with restricted page source code (it looks like

http://localhost:3000/_next/static/chunks/pages/profile-ssr-dd88f1f8754f9903.js

in this case).

Now I can open it in any other browser without a session. Can an attacker brute-force the prefix in this way and see, for example, what my admin page looks like? Is there a way to protect source code with restricted access or may be this is not a problem for some reason?

ytkopobot
  • 177
  • 1
  • 10
  • I am facing a the same problem. Did you find a solution to this? Preferably I would like to restrict access to page code on both an authenticated and authorised basis. – U4EA Jan 14 '23 at 19:42

1 Answers1

0

Looks like you can add an auth check with middleware on _next/static although I haven't tried.

rnbrady
  • 204
  • 1
  • 6