UNPKG

next

Version:

The React Framework

nextjs.org

vercel/next.js

204 lines (150 loc) 6.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
--- title: NextResponse description: API Reference for NextResponse. --- {/* The content of this doc is shared between the app and pages router. You can use the `<PagesOnly>Content</PagesOnly>` component to add content that is specific to the Pages Router. Any shared content should not be wrapped in a component. */} NextResponse extends the [Web Response API](https://developer.mozilla.org/docs/Web/API/Response) with additional convenience methods. ## `cookies` Read or mutate the [`Set-Cookie`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie) header of the response. ### `set(name, value)` Given a name, set a cookie with the given value on the response. ```ts // Given incoming request /home let response = NextResponse.next() // Set a cookie to hide the banner response.cookies.set('show-banner', 'false') // Response will have a `Set-Cookie:show-banner=false;path=/home` header return response ``` ### `get(name)` Given a cookie name, return the value of the cookie. If the cookie is not found, `undefined` is returned. If multiple cookies are found, the first one is returned. ```ts // Given incoming request /home let response = NextResponse.next() // { name: 'show-banner', value: 'false', Path: '/home' } response.cookies.get('show-banner') ``` ### `getAll()` Given a cookie name, return the values of the cookie. If no name is given, return all cookies on the response. ```ts // Given incoming request /home let response = NextResponse.next() // [ // { name: 'experiments', value: 'new-pricing-page', Path: '/home' }, // { name: 'experiments', value: 'winter-launch', Path: '/home' }, // ] response.cookies.getAll('experiments') // Alternatively, get all cookies for the response response.cookies.getAll() ``` ### `has(name)` Given a cookie name, return `true` if the cookie exists on the response. ```ts // Given incoming request /home let response = NextResponse.next() // Returns true if cookie exists, false if it does not response.cookies.has('experiments') ``` ### `delete(name)` Given a cookie name, delete the cookie from the response. ```ts // Given incoming request /home let response = NextResponse.next() // Returns true for deleted, false if nothing is deleted response.cookies.delete('experiments') ``` ## `json()` Produce a response with the given JSON body. ```ts filename="app/api/route.ts" switcher import { NextResponse } from 'next/server' export async function GET(request: Request) { return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 }) } ``` ```js filename="app/api/route.js" switcher import { NextResponse } from 'next/server' export async function GET(request) { return NextResponse.json({ error: 'Internal Server Error' }, { status: 500 }) } ``` ## `redirect()` Produce a response that redirects to a [URL](https://developer.mozilla.org/docs/Web/API/URL). ```ts import { NextResponse } from 'next/server' return NextResponse.redirect(new URL('/new', request.url)) ``` The [URL](https://developer.mozilla.org/docs/Web/API/URL) can be created and modified before being used in the `NextResponse.redirect()` method. For example, you can use the `request.nextUrl` property to get the current URL, and then modify it to redirect to a different URL. ```ts import { NextResponse } from 'next/server' // Given an incoming request... const loginUrl = new URL('/login', request.url) // Add ?from=/incoming-url to the /login URL loginUrl.searchParams.set('from', request.nextUrl.pathname) // And redirect to the new URL return NextResponse.redirect(loginUrl) ``` ## `rewrite()` Produce a response that rewrites (proxies) the given [URL](https://developer.mozilla.org/docs/Web/API/URL) while preserving the original URL. ```ts import { NextResponse } from 'next/server' // Incoming request: /about, browser shows /about // Rewritten request: /proxy, browser shows /about return NextResponse.rewrite(new URL('/proxy', request.url)) ``` ## `next()` The `next()` method is useful for Proxy, as it allows you to return early and continue routing. ```ts import { NextResponse } from 'next/server' return NextResponse.next() ``` You can also forward `headers` upstream when producing the response, using `NextResponse.next({ request: { headers } })`: ```ts import { NextResponse } from 'next/server' // Given an incoming request... const newHeaders = new Headers(request.headers) // Add a new header newHeaders.set('x-version', '123') // Forward the modified request headers upstream return NextResponse.next({ request: { // New request headers headers: newHeaders, }, }) ``` This forwards `newHeaders` upstream to the target page, route, or server action, and does not expose them to the client. While this pattern is useful for passing data upstream, it should be used with caution because the headers containing this data may be forwarded to external services. In contrast, `NextResponse.next({ headers })` is a shorthand for sending headers from proxy to the client. This is **NOT** good practice and should be avoided. Among other reasons because setting response headers like `Content-Type`, can override framework expectations (for example, the `Content-Type` used by Server Actions), leading to failed submissions or broken streaming responses. ```ts import { type NextRequest, NextResponse } from 'next/server' async function proxy(request: NextRequest) { const headers = await injectAuth(request.headers) // DO NOT forward headers like this return NextResponse.next({ headers }) } ``` In general, avoid copying all incoming request headers because doing so can leak sensitive data to clients or upstream services. Prefer a defensive approach by creating a subset of incoming request headers using an allow-list. For example, you might discard custom `x-*` headers and only forward known-safe headers: ```ts import { type NextRequest, NextResponse } from 'next/server' function proxy(request: NextRequest) { const incoming = new Headers(request.headers) const forwarded = new Headers() for (const [name, value] of incoming) { const headerName = name.toLowerCase() // Keep only known-safe headers, discard custom x-* and other sensitive ones if ( !headerName.startsWith('x-') && headerName !== 'authorization' && headerName !== 'cookie' ) { // Preserve original header name casing forwarded.set(name, value) } } return NextResponse.next({ request: { headers: forwarded, }, }) } ```