𝗜 𝗠𝗮𝗱𝗲 𝗧𝗵𝗿𝗲𝗲 𝗖𝗼𝘀𝘁𝗹𝘆 𝗔𝘂𝘁𝗵 𝗠𝗶𝘀𝘁𝗮𝗸𝗲𝘀 𝗪𝗶𝘁𝗵 𝗡𝗲𝘅𝘁.𝗷𝘀 𝟭𝟲

I messed up the proxy.ts matcher on three different projects.

The worst part? There were no errors. No warnings. No logs. Everything looked perfect until security holes appeared.

Next.js 16 changed middleware.ts to proxy.ts. This is not just a name change. It is a fundamental shift in how you handle requests.

Here is what you must know to avoid breaking your auth.

𝗧𝗵𝗲 𝗡𝗲𝘄 𝗥𝘂𝗹𝗲𝘀 Middleware was confusing. Developers used it for database calls and heavy logic. That is not its job.

The proxy sits at the network boundary. It intercepts requests before they reach your routes.

𝗧𝗵𝗲 𝗦𝗶𝗹𝗲𝗻𝘁 𝗙𝗮𝗶𝗹𝘂𝗿𝗲 If you upgrade Next.js without using a codemod, your old middleware.ts file might stay in your project. It will pass TypeScript checks. It will compile fine.

But it will do nothing.

Your redirects will not fire. Your auth will not run. Your app will simply bypass the security layer silently.

𝗖𝗵𝗲𝗰𝗸 𝗧𝗵𝗲𝘀𝗲 𝗧𝗵𝗿𝗲𝗲 𝗧𝗵𝗶𝗻𝗴𝘀 𝗠𝗮𝗻𝘂𝗮𝗹𝗹𝘆:

𝗧𝗵𝗲 𝗠𝗮𝘁𝗰𝗵𝗲𝗿 𝗧𝗿𝗮𝗽 Most auth setups break in the matcher config. If you do not exclude static files, the proxy runs on every CSS and JS file. This creates infinite redirect loops on assets.

Use a negative lookahead to exclude:

𝗪𝗮𝗿𝗻𝗶𝗻𝗴: 𝗗𝗼𝗻𝘁 𝗧𝗿𝘂𝘀𝘁 𝗛𝗲𝗮𝗱𝗲𝗿𝘀 𝗔𝗹𝗼𝗻𝗲 This is where I got burned.

The proxy sets headers like x-user-id on the request. Your Server Components read these via headers().

If your matcher has a gap, a user can send their own x-user-id header. The Server Component cannot tell the difference between a proxy-set header and a client-sent header.

An attacker could spoof a user ID on an unmatched route. They might not see data, but they could gain permissions they should not have.

𝗧𝗵𝗲 𝗙𝗶𝘅: The proxy is your fast gate. It handles the heavy lifting at the edge.

But you must verify the JWT again inside your Server Components.

Redundansi adalah keamanan.

𝗦𝘂𝗺𝗯𝗲𝗿: https://dev.to/shubhradev/i-got-the-proxyts-matcher-wrong-for-three-projects-before-i-understood-why-4e5c