How to Fix Insecure Direct Object References (IDOR) in Next.js
Learn how to prevent and fix Insecure Direct Object References (IDOR) vulnerabilities in Next.js applications. Step-by-step guide with code examples, security checklists, and best practices.
What Is Insecure Direct Object References (IDOR)?
Insecure Direct Object References (IDOR) is an access control vulnerability where an application uses user-supplied input to directly access objects (like database records, files, or API resources) without verifying the user's authorization to access that specific object. The vulnerability occurs when internal identifiers such as database IDs, filenames, or sequential numbers are exposed in URLs, form fields, or API parameters.
For example, if a user can view their invoice at `/api/invoices/1234` and simply changing the ID to `/api/invoices/1235` reveals another user's invoice, that is an IDOR vulnerability. The application checked that the user was authenticated but failed to verify that the specific invoice belongs to that user.
IDOR is extremely common in modern web applications, particularly those with RESTful APIs where resource identifiers are part of the URL path. It is often introduced when developers focus on authentication (is the user logged in?) but neglect authorization (is this user allowed to access this specific resource?). Even applications using UUIDs instead of sequential integers can be vulnerable if the UUIDs are leaked or predictable.
Why It Matters
IDOR vulnerabilities can expose sensitive data belonging to other users, including personal information, financial records, private messages, and documents. Because IDOR exploits are simple (often just changing a number in a URL), they are frequently discovered by unsophisticated attackers or automated scanners. The impact scales with the sensitivity of the exposed data and the number of affected records. In multi-tenant SaaS applications, IDOR can allow one customer to access another customer's data, leading to severe trust and compliance issues. IDOR was a factor in several major data breaches, including the 2019 First American Financial breach that exposed 885 million records.
How to Fix It in Next.js
Implement proper authorization checks for every data access operation. Never rely solely on authentication -- verify that the authenticated user has permission to access the specific requested resource. In database queries, always filter by the current user's ID or organization (e.g., `WHERE user_id = :currentUser AND id = :requestedId`). Use Supabase Row Level Security (RLS) policies or similar database-level access controls. Replace sequential IDs with UUIDs in public-facing interfaces to reduce enumeration risk (but still verify authorization). Implement access control at the service layer, not just the controller layer. Conduct authorization testing as part of your security review process.
Next.js-Specific Advice
- Use Server Components for data fetching to keep secrets off the client bundle. Only `NEXT_PUBLIC_` prefixed env vars are exposed to the browser.
- Enable strict Content Security Policy headers in `next.config.js` using the `headers()` function. Block inline scripts and restrict allowed origins.
- Validate all Server Action inputs with Zod or a similar schema validator. Server Actions are public HTTP endpoints -- treat them like API routes.
- Use `next/headers` to access cookies securely in Server Components. Never parse cookies manually from request headers.
Next.js Security Checklist for Insecure Direct Object References (IDOR)
Next.js Security Best Practices
Use Server Components for data fetching to keep secrets off the client bundle. Only `NEXT_PUBLIC_` prefixed env vars are exposed to the browser.
Enable strict Content Security Policy headers in `next.config.js` using the `headers()` function. Block inline scripts and restrict allowed origins.
Validate all Server Action inputs with Zod or a similar schema validator. Server Actions are public HTTP endpoints -- treat them like API routes.
Use `next/headers` to access cookies securely in Server Components. Never parse cookies manually from request headers.
Configure `images.remotePatterns` in `next.config.js` to allowlist trusted image domains and prevent SSRF through the image optimization API.
Implement middleware-based authentication checks for protected routes using `NextResponse.redirect()` rather than client-side guards alone.
Use the built-in CSRF protection in Server Actions. For custom API routes, implement CSRF tokens manually or use the Origin header check.
Set `poweredByHeader: false` in `next.config.js` to remove the `X-Powered-By: Next.js` header that helps attackers fingerprint your stack.
Scan Your Next.js App with SafeVibe
Stop guessing if your Next.js app is vulnerable to Insecure Direct Object References (IDOR). Run an automated penetration test in minutes and get actionable results.
Start Free Scan