Why do AI-generated Next.js apps miss security headers?

AI coding assistants like Cursor and GitHub Copilot are trained on code that demonstrates functionality, not production security configuration. Security headers in Next.js require changes to next.config.js that are rarely shown in tutorials or open-source examples, so AI tools almost never suggest them. You must add them manually using the headers() function in next.config.js. Verify your deployment at zeriflow.com/free-scan after adding them.

How do I add all security headers to a Next.js app?

Add security headers in the headers() function inside next.config.js. The minimum recommended set includes Strict-Transport-Security (max-age 63072000, includeSubDomains, preload), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy, and Content-Security-Policy. Apply them to all routes with the source pattern '/(.*)'.

Is NextAuth secure by default?

NextAuth has secure defaults but requires explicit configuration in production. The critical settings are: NEXTAUTH_SECRET must be set to a strong random value (generate with openssl rand -base64 32), NEXTAUTH_URL must point to your production domain, and session cookies should have the Secure flag set. Without NEXTAUTH_SECRET, NextAuth falls back to an insecure development default.

What is the fastest way to check if my Next.js app is secure?

Deploy your app and scan it at zeriflow.com/free-scan. ZeriFlow checks all security headers configured in next.config.js, TLS configuration, cookie security flags, CORS settings, and information disclosure in under 60 seconds. It shows you exactly which headers are present, which are missing, and provides the exact values to add to next.config.js.

How to Secure an AI-Generated Next.js App — 2026 Guide

Antoine Duno

Founder of ZeriFlow · 10 years fullstack engineering · About the author

Key Takeaways

Built your Next.js app with Cursor or GitHub Copilot? AI assistants are great at writing features — but they consistently miss security configuration. Here's how to fix it in five steps.
Includes copy-paste code examples and step-by-step instructions.
Free automated scan available to verify your implementation.

What AI Tools Miss in Next.js

GitHub Copilot, Cursor, and other AI assistants generate excellent Next.js boilerplate. What they consistently skip: security configuration. A fresh AI-generated Next.js app ships without security headers, without a Content Security Policy, with weak NextAuth settings, and with unaudited dependencies.

Step 1 — Security Headers in next.config.js

Is your site actually secure?

Run a free check — 60 seconds

Scan free →

javascript

const nextConfig = {
  poweredByHeader: false,
  async headers() {
    return [{
      source: "/(.*)",
      headers: [
        { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
        { key: "X-Frame-Options", value: "DENY" },
        { key: "X-Content-Type-Options", value: "nosniff" },
        { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
        { key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
      ],
    }];
  },
};

Step 2 — Secure API Routes

Every protected route needs authentication:

typescript

import { getServerSession } from "next-auth";
export async function GET() {
  const session = await getServerSession(authOptions);
  if (!session) return new Response("Unauthorized", { status: 401 });
}

Add rate limiting on auth endpoints. Validate all input with Zod.

Step 3 — Configure NextAuth Securely

typescript

export const authOptions: AuthOptions = {
  secret: process.env.NEXTAUTH_SECRET, // openssl rand -base64 32
  useSecureCookies: process.env.NODE_ENV === "production",
  cookies: {
    sessionToken: {
      options: { httpOnly: true, sameSite: "lax", secure: true },
    },
  },
  callbacks: {
    async redirect({ url, baseUrl }) {
      if (url.startsWith(baseUrl)) return url;
      if (url.startsWith("/")) return `${baseUrl}${url}`;
      return baseUrl;
    },
  },
};

Generate NEXTAUTH_SECRET with openssl rand -base64 32. Set NEXTAUTH_URL to your production domain in Vercel environment variables.

Step 4 — Audit Dependencies

bash

npm audit
npm audit fix

Fix all high and critical vulnerabilities before launch.

Step 5 — Verify with ZeriFlow

Deploy your app, then scan it at zeriflow.com/free-scan. A secured Next.js app should score above 75/100. The most common issues in AI-generated Next.js apps: missing CSP (73%), missing Permissions-Policy (68%), cookies without Secure flag (54%).

Quick Reference

What to secure	Where to configure	How to verify
Security headers	`next.config.js` headers()	ZeriFlow scan
Cookie flags	NextAuth options	ZeriFlow scan
API authentication	Each `app/api/` route	Code review
Rate limiting	Middleware or per-route	Load test
Dependencies	`npm audit`	Snyk/Dependabot
Secrets	`.env` files only	`git grep`

Verify your AI-generated app is production-ready.

80+ security checks in 60 seconds — free, no account needed.

Scan now — free See plans

How to Secure Your AI-Generated Next.js App (2026 Guide)