Replies: 1 comment 1 reply
-
|
Hi, for your specific case, if you are self-hosting, we recommend using a Reverse Proxy, to not expose your Next.js server directly to the internet. That'll mitigate most of these issues. While it is not ideal that the older versions have this issue, rather than waiting on a patch, the reverse proxy way should be applied. If you deploy to a serverless hosting provider, your server is likely already behind a reverse proxy and other layers, so the issue should be mitigated there too. Last but not least, https://nextjs.org/support-policy, v14 and older are out of the Maintenance, so whether or not the backport patch happens, |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your reply. I understand that placing the server behind a reverse proxy is the recommended practice. We are currently proceeding with this implementation for environments where it is feasible. However, we have identified some systems where setting up a reverse proxy will require significant time. This is the reason why I submitted this request. Thank you also for the note regarding the support policy. I will share this with my team, and we will make every effort to keep up with the LTS versions as much as possible. I have anyway echo'ed this request back to the team who worked on the backport. I appreciate you doing that. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
I recently came across the following article:
Taking down Next.js servers for 0.0001 cents a pop
https://www.harmonyintelligence.com/taking-down-next-js-servers
This issue was addressed in PR #84539, but Next.js v14, v13, and v12 are still vulnerable to a DoS threat.
Since some systems cannot immediately upgrade to a major version, I'd like to ask if it would be possible to backport this fix to those versions, where feasible.
Additional information
No response
Example
No response
Beta Was this translation helpful? Give feedback.
All reactions