One secure entry point for every outbound API call in Next.js
SSRF protection, CORS management, Rate Limiting, and Request Transformation built directly into the App Router.
- SSRF
- Blocked by default
- 0-config
- CORS preflight
- Edge
- & Node runtime
1// app/api/proxy/route.ts2import { nextProxyHandler } from "nextjs-proxy"34export const POST = nextProxyHandler({5 baseUrl: process.env.EXTERNAL_API_BASE,6 allowOrigins: ["https://app.my-domain.com"],7 inMemoryRate: { windowMs: 60000, max: 100 },8 maskSensitiveData: (data) => ({ ...data, password: "***" }),9 log: (e) => console.log("[proxy]", e),10})Core features
Governance and security for every outbound request
A single, audited entry point that controls how your app talks to the outside world.
SSRF Shield
Automatically blocks internal and private hosts like 127.0.0.1 and 169.254.169.254. Named routes mean the client never controls the destination URL.
Zero-Config CORS
Handles preflight OPTIONS requests automatically with secure, credentialed CORS matching only the origins you whitelist.
Flex Rate Limiting
An in-memory process counter out of the box, with pluggable Redis storage support for distributed deployments.
Fully Edge-Ready
Built natively on the Web Fetch API (NextRequest / NextResponse). Compatible with Node.js and Edge runtimes, Next.js 13 to 16+.
Request / Response Transformer
Reshape payloads before they reach upstream and adjust responses before they return to the client.
Audit & Masking
Mask sensitive keys and log every request, response, and error through a single structured logging hook.
Quick start
Up and running in two steps
Install the package, drop a single handler into your route, and configure exactly what you need.
Read the full documentation1# pnpm2pnpm add nextjs-proxy34# npm5npm install nextjs-proxyConfiguration options
routesRecord<string, string>Named, server-controlled destinations so the client never picks the URL.
baseUrlstringPrefix used to resolve relative endpoints.
allowOriginsstring[]CORS whitelist of permitted origins.
allowPrivateHostsbooleanOpt-in escape hatch for internal hosts (off by default).
inMemoryRate{ windowMs, max, key? }Simple in-memory rate limiting grouped by IP or custom key.
transformRequest({ method, endpoint, data }) => {…}Modify the payload before the upstream fetch.
transformResponse(res) => anyAdjust the response before sending it to the client.
maskSensitiveData(data) => anySanitize and mask sensitive keys before transit.
validate(req) => boolean | PromiseBlock the flow for auth or permission checks.
log(info) => voidReceive request, response, and error events.
Why it matters
Rewrites vs custom middleware vs nextjs-proxy
Rewrites are great for simple path forwarding. For security, auditing, and governance, nextjs-proxy wins.
| Capability | Rewrites | Custom middleware |  nextjs-proxy |
|---|---|---|---|
| Security & SSRF protection | |||
| Auditing & structured logging | |||
| Governance over destinations | |||
| Header & credential control | |||
| Rate limiting built in | |||
| Request / response transform | |||
| Native to App Router | |||
| Minimal boilerplate |