Fullstack CourseLearn by building
Back to week 3

Topic

Use Next proxying carefully

Definition

A Next.js rewrite or proxy forwards a matching web request to another destination while preserving a controlled browser-facing route shape.

In simpler words

It can change where a browser request goes, but it does not change who owns the API or who authorizes it.

Proxying can simplify a browser path, but it must preserve cookie, CORS, and error behavior intentionally.

After this you can

  • Recognize a rewrite boundary
  • Explain why proxying is not authorization
  • Preserve the product API contract

Forward requests without duplicating rules

A rewrite maps a request path to another destination. The browser may see one stable route while the upstream server receives the request, but domain validation and permission checks still happen upstream.

Proxying changes topology, not security. It can make development and same-origin browser requests easier, yet it can also hide cookie, header, and error-handling differences if configured casually.

A focused rewrite

// next.config.ts
async rewrites() {
  return [{ source: '/api/:path*', destination: 'http://localhost:3001/:path*' }];
}

The browser-facing path is forwarded; the API server still handles the request.

Mistake: treating a rewrite as access control

// Wrong assumption: “Only /api users can reach Nest now.”
// A rewrite does not block direct requests to the upstream API.

// Right: Nest validates the JWT and permissions for every request.

Authorization belongs at the server that owns the protected resource.

Preserve the request contract

Definition

A proxy must deliberately handle credentials, headers, origin rules, and non-success responses.

In simpler words

A convenient browser route is not a replacement for documenting the Nest API for other consumers.

Test cookie behavior in the deployed HTTPS topology, not only on localhost.

Avoid adding a proxy layer when direct, documented API access already meets the product need.

Live playground

Proxy playground

Follow a browser request through a rewrite to the Nest API.

Rewrites change URL shape, not Nest authorization.

next-proxy

Keep in mind

  • Treat rewrites as routing, not security.
  • Verify cookies and error responses through the full proxy path.
  • Keep the upstream Nest contract usable and documented.

Test

Check your understanding

At least 10 questions — mix of concept, syntax, practical, and logic. Score ≥ 80% (enforced by the API) to save progress.

Checking your session…

10 questions · concept 3 · syntax 2 · practical 3 · logic 2

Concept1. Which statement is the most accurate definition of Next proxying?
Syntax2. Which code-level choice is consistent with Next proxying?
Practical3. A reviewer sees this situation. Which decision best applies Next proxying?
Logic4. What reasoning correctly explains why this approach works for Next proxying?
Concept5. Which boundary does the correct use of Next proxying preserve?
Practical6. What is the safest next step when implementing Next proxying?
Syntax7. Which implementation direction matches the rule for Next proxying?
Logic8. Which consequence follows from applying Next proxying correctly?
Concept9. Which claim about Next proxying is true in this monorepo?
Practical10. Which team practice best demonstrates Next proxying?