Next.js · Vercel · App Router

Next.js ships fast.
VibeCheck makes sure it ships safe.

Before you deploy, run VibeCheck. Catches exposed .env keys, missing CSP headers, unprotected API routes, missing rate limits, and 100+ other Next.js production mistakes.

Audit your Next.js app →

Paste your Vercel preview URL. Takes 3 minutes.

What vibe-coded Next.js apps commonly miss

These are not hypothetical risks — they are the actual failure modes VibeCheck catches most frequently in Next.js apps.

NEXT_PUBLIC_ variable misuse

CRITICAL

Any environment variable prefixed with NEXT_PUBLIC_ is bundled into your client-side JavaScript and visible to all visitors. A common mistake is accidentally prefixing secret API keys — making them readable from the browser.

API routes with no rate limiting

HIGH

Next.js API routes are zero-config but zero-protection. Without rate limiting, a single malicious user can flood your /api/chat, /api/generate, or /api/signup endpoints — burning through your AI budget or overwhelming your database in minutes.

Server Actions with no auth check

CRITICAL

Server Actions look like regular functions but they are HTTP endpoints under the hood. An AI assistant that writes a Server Action for a data mutation may not add an auth check on the server, only on the client.

dangerouslySetInnerHTML with user content

CRITICAL

If user-generated content is rendered via dangerouslySetInnerHTML without sanitization, any user can inject arbitrary scripts into your page. This is a stored XSS vulnerability — one of the most serious frontend security bugs.

Missing security headers

HIGH

Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are not set by default in Next.js. Without them, your app is vulnerable to XSS, clickjacking, and MIME sniffing attacks.

Supabase RLS disabled by default

CRITICAL

When you create a new Supabase table, Row Level Security is off. Any authenticated user can read every row in that table. This is one of the most common data exposure bugs in vibe-coded Next.js + Supabase apps.

output: 'export' breaking dynamic routes

HIGH

If you use output: 'export' in next.config.js for static export, dynamic routes and API routes are silently broken at deploy time. The build succeeds but your app has 404s and non-functional endpoints in production.

Missing noindex on staging deployments

MEDIUM

Vercel preview deployments (*.vercel.app) are publicly accessible and indexed by Google by default. If your staging URL doesn't have a noindex meta tag or X-Robots-Tag header, Google can index your unfinished pages — including test content and debug routes.

What VibeCheck specifically catches for Next.js

A sample of the checks most relevant to Next.js deployments.

Check IDNameWhat it catchesSeverity
ai-001OpenAI key exposed in client bundlesk-proj-... or sk-... patterns in JS bundleCRITICAL
ai-002Anthropic key in client bundlesk-ant-... patterns in JS bundleCRITICAL
ai-005AI endpoint rate limiting absentNo X-RateLimit headers on /api/chat or /api/generateHIGH
sec-001CSP header missingNo Content-Security-Policy response headerHIGH
sec-003X-Frame-Options missingNo X-Frame-Options or frame-ancestors CSP directiveMEDIUM
sec-002No HTTPS redirectHTTP version of URL returns 200 instead of redirectCRITICAL
auth-018Admin route not server-protected/admin accessible without auth header or session cookieCRITICAL
prod-003Source maps exposed*.map files accessible publicly in productionHIGH
seo-007Staging not noindexednoindex meta tag or X-Robots-Tag absent on preview deploymentsMEDIUM
perf-001Large JavaScript bundleTotal JS bundle size over 1MB on initial loadMEDIUM

These are 10 of 168 total checks. Browse all 168 checks →

Add it to your CI as a GitHub Action

Run VibeCheck automatically on every pull request. Block merges when critical issues are found. Works with Vercel preview deployments out of the box.

.github/workflows/vibecheck.yml
- name: Run VibeCheck
  uses: Sathappan/vibecheck-action@v1
  with:
    url: https://your-app.vercel.app
    fail_below: 60
    block_on: CRITICAL,HIGH
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Full GitHub Action setup guide →

More resources

For vibe coders →

Catch what Claude missed

The specific mistakes AI coding assistants make most often in app development

Launch checklist →

Full pre-launch checklist

All 168 checks organized by category — what to verify before going live

Ready to ship your Next.js app?

Paste your Vercel preview URL. Get a full production audit in 3 minutes.

Audit your Next.js app →