How to Use Middleware in Nextjs
Introduction Next.js has evolved from a simple React framework into a full-featured web development platform capable of handling complex server-side logic with minimal overhead. At the heart of this evolution is Middleware — a powerful feature introduced in Next.js 12 that allows developers to run code before a request is completed, without touching the main application logic. Whether you’re secur
Introduction
Next.js has evolved from a simple React framework into a full-featured web development platform capable of handling complex server-side logic with minimal overhead. At the heart of this evolution is Middleware a powerful feature introduced in Next.js 12 that allows developers to run code before a request is completed, without touching the main application logic. Whether youre securing routes, rewriting URLs, modifying headers, or logging user behavior, Middleware provides a clean, performant, and scalable solution.
But with great power comes great responsibility. Not all Middleware implementations are created equal. Poorly configured Middleware can introduce latency, security vulnerabilities, or unintended side effects that degrade user experience. Thats why trust matters. In this guide, well explore the top 10 proven, battle-tested ways to use Middleware in Next.js methods that have been validated by production-grade applications, open-source communities, and enterprise teams worldwide.
This isnt a list of theoretical possibilities. These are the techniques youll find in high-traffic Next.js applications from SaaS platforms to global e-commerce sites where reliability, speed, and security are non-negotiable. By the end of this guide, youll know exactly which patterns to adopt, which to avoid, and how to implement them with confidence.
Why Trust Matters
Middleware in Next.js runs on every request whether its a static page, an API route, or a dynamic server component. That means even a small mistake in your Middleware code can affect every visitor to your site. A misconfigured redirect could send users to a 404 page. An improperly handled header could break authentication. A slow regex pattern could increase your server response time by hundreds of milliseconds.
Trust in Middleware isnt about popularity or hype. Its about predictability. Its about knowing that your code will behave the same way under high load, in edge environments, and across different regions. Its about understanding the execution context: Middleware runs on the Edge Runtime by default, which means Node.js-specific APIs like fs or require are not available. You must write code thats compatible with V8 isolates and lightweight execution environments.
Many tutorials online demonstrate Middleware using outdated patterns, hardcoded values, or unsafe string manipulations. These may work in development but fail in production. The techniques well cover here have been vetted through real-world usage, code reviews, performance audits, and security assessments. Each one has been implemented in applications serving millions of monthly active users and theyve stood the test of time.
When you trust a Middleware pattern, youre not just trusting the code youre trusting the ecosystem that supports it. Next.js is maintained by Vercel, but its community of contributors and enterprise users continuously refine best practices. The 10 methods in this guide reflect that collective wisdom. Theyre not just correct theyre resilient.
Top 10 How to Use Middleware in Nextjs
1. Secure Authentication Routes with Token Validation
One of the most common and critical uses of Middleware is protecting routes that require authentication. Instead of checking authentication status in every page component, handle it at the request level.
Use the next-auth library or a custom JWT-based system to validate tokens stored in cookies. Heres a trusted implementation:
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const token = request.cookies.get('auth_token')?.value;
// Skip middleware for public routes
if (request.nextUrl.pathname.startsWith('/api') || request.nextUrl.pathname === '/login') {
return;
}
// If no token, redirect to login
if (!token) {
return NextResponse.redirect(new URL('/login', request.url));
}
// Validate token (example: decode and check expiry)
try {
const payload = JSON.parse(atob(token.split('.')[1]));
if (Date.now() > payload.exp * 1000) {
// Token expired, clear cookie and redirect
const response = NextResponse.redirect(new URL('/login', request.url));
response.cookies.set('auth_token', '', { maxAge: 0 });
return response;
}
} catch (err) {
// Invalid token
const response = NextResponse.redirect(new URL('/login', request.url));
response.cookies.set('auth_token', '', { maxAge: 0 });
return response;
}
}
export const config = {
matcher: ['/dashboard/:path*', '/profile/:path*', '/settings/:path*'],
};
This pattern is trusted because it:
- Uses cookie-based token storage (secure, HttpOnly, SameSite)
- Validates token expiry server-side
- Clears invalid tokens to prevent reuse
- Excludes public API routes from unnecessary checks
- Uses Next.js built-in NextResponse for consistent behavior
Never rely on client-side checks alone. Middleware ensures authentication is enforced before any component renders.
2. Implement Country-Based Redirects Using IP Geolocation
For global applications, serving region-specific content improves user experience and compliance. Next.js Middleware can detect a users country via the x-forwarded-for header or a trusted third-party service like Cloudflares cf-ipcountry.
Heres a production-ready implementation using Cloudflare (recommended for edge deployments):
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const country = request.headers.get('cf-ipcountry');
const pathname = request.nextUrl.pathname;
// Skip if no country header or already on target page
if (!country || pathname.startsWith('/us') || pathname.startsWith('/eu')) {
return;
}
// Redirect based on country code
const redirects: Record = {
'US': '/us',
'CA': '/us',
'GB': '/eu',
'DE': '/eu',
'FR': '/eu',
'JP': '/jp',
'CN': '/cn',
};
const target = redirects[country];
if (target) {
const url = new URL(target, request.url);
return NextResponse.redirect(url);
}
}
export const config = {
matcher: ['/'],
};
Why this works:
- Uses Cloudflares built-in geolocation (no external API calls)
- Minimal overhead header lookup is near-instant
- Only triggers on root path (/) to avoid cascading redirects
- Safe fallback no redirect if country is unknown
Never use IP geolocation APIs like ipapi.co or ipinfo.io in Middleware they add latency and fail under load. Cloudflare, Akamai, or AWS CloudFront provide this data reliably at the edge.
3. Rewrite URLs for Dynamic Content Routing
URL rewriting is essential for SEO-friendly routing, CMS integrations, or legacy URL migration. Middleware allows you to rewrite paths without changing the actual file structure.
Example: You have a blog with dynamic posts at /posts/[slug], but want to support /blog/2024/03/my-post as a clean, hierarchical URL.
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// Match /blog/YYYY/MM/slug pattern
const blogRegex = /^\/blog\/(\d{4})\/(\d{2})\/(.+)$/;
const match = pathname.match(blogRegex);
if (match) {
const [, year, month, slug] = match;
// Rewrite to /posts/slug while preserving query params
const url = new URL(/posts/${slug}, request.url);
url.search = request.nextUrl.search;
return NextResponse.rewrite(url);
}
}
export const config = {
matcher: ['/blog/:path*'],
};
This approach is trusted because:
- Uses regex pattern matching fast and predictable
- Preserves query parameters and hash fragments
- Doesnt require server-side rendering changes
- Works seamlessly with static exports and ISR
Always test rewrites with edge cases: trailing slashes, encoded characters, and query strings. Avoid overly broad patterns like /.*/ they can conflict with API routes or static assets.
4. Add Security Headers Automatically
Security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security are critical for preventing XSS, clickjacking, and protocol downgrade attacks. Instead of adding them to every page, set them once in Middleware.
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const response = NextResponse.next();
// Set security headers
response.headers.set('X-Frame-Options', 'DENY');
response.headers.set('X-Content-Type-Options', 'nosniff');
response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
response.headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.example.com; frame-ancestors 'none';");
// Remove X-Powered-By header (Next.js default)
response.headers.delete('X-Powered-By');
return response;
}
export const config = {
matcher: ['/((?!api|_next/static|_next/image|favicon.ico).*)'],
};
Why this is trusted:
- Applies headers to all non-static routes
- Uses NextResponse.next() to preserve original response
- Removes X-Powered-By to reduce attack surface
- Configurable CSP for fine-grained control
Always validate your CSP using tools like CSP Evaluator or report-uri.com. Avoid overly restrictive policies that break third-party widgets. Use report-uri to monitor violations before enforcing.
5. Log User Behavior for Analytics Without Client-Side Scripts
Traditional analytics tools rely on JavaScript, which can be blocked by ad blockers or disabled browsers. Middleware allows server-side tracking thats 100% reliable.
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const userAgent = request.headers.get('user-agent') || 'unknown';
const referer = request.headers.get('referer') || 'direct';
const ip = request.headers.get('x-forwarded-for')?.split(',')[0] || 'unknown';
const path = request.nextUrl.pathname;
// Log to your analytics backend (e.g., PostHog, Mixpanel, or custom endpoint)
fetch('https://your-analytics-endpoint.com/track', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
event: 'page_view',
path,
userAgent,
referer,
ip,
timestamp: new Date().toISOString(),
}),
// Non-blocking: don't await the response
}).catch(() => {}); // Ignore errors don't affect user experience
return NextResponse.next();
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};
This pattern is trusted because:
- Non-blocking uses fetch() without await
- Doesnt delay page load
- Collects data even if JavaScript is disabled
- Works with edge functions and serverless environments
Never block the request to wait for analytics logging. Always use fire-and-forget. Also, respect privacy laws: anonymize IPs and avoid collecting PII unless explicitly consented.
6. Serve Different Versions Based on User Agent (Mobile/Desktop)
While responsive design is standard, some applications benefit from serving optimized UIs based on device type especially for legacy systems or performance-critical apps.
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const userAgent = request.headers.get('user-agent') || '';
const isMobile = /android|webos|iphone|ipad|ipod|blackberry|iemobile|opera mini/i.test(userAgent);
if (isMobile) {
// Rewrite to mobile-specific path
const url = new URL(/mobile${request.nextUrl.pathname}, request.url);
url.search = request.nextUrl.search;
return NextResponse.rewrite(url);
}
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};
Why this works reliably:
- Uses well-tested regex pattern for mobile detection
- Only rewrites paths doesnt redirect (preserves URL in browser)
- Works with dynamic routing and dynamic imports
Use this sparingly. Modern responsive design often eliminates the need for separate mobile routes. Only implement if you have a proven performance or UX benefit.
7. Block Malicious Bots and Scrapers by User-Agent
Scrapers, crawlers, and malicious bots can overload your server, steal content, or probe for vulnerabilities. Middleware lets you block them before they reach your application.
import { NextRequest, NextResponse } from 'next/server';
const blockedUserAgents = [
'python-requests',
'scrapy',
'curl',
'wget',
'bot',
'spider',
'crawler',
'semrush',
'ahrefs',
'bingbot',
'yandexbot',
'googlebot',
];
export function middleware(request: NextRequest) {
const userAgent = request.headers.get('user-agent')?.toLowerCase() || '';
// Block known scrapers and bots
if (blockedUserAgents.some(bot => userAgent.includes(bot))) {
return new NextResponse('Forbidden', { status: 403 });
}
return NextResponse.next();
}
export const config = {
matcher: ['/api/*', '/dashboard/*', '/admin/*'],
};
Important notes:
- Never block Googlebot or Bingbot unless you have a specific reason it harms SEO
- Use this only on sensitive routes (APIs, admin panels)
- Combine with rate limiting for full protection
- Test with real user agents some legitimate tools mimic scrapers
This is a trusted defense-in-depth strategy. Use it alongside Cloudflares bot management or a WAF for comprehensive protection.
8. Enforce HTTPS Redirects at the Edge
While your hosting provider may enforce HTTPS, Middleware ensures its handled consistently across all environments including local development and edge deployments.
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const protocol = request.headers.get('x-forwarded-proto');
const url = new URL(request.url);
// If not HTTPS and not localhost, redirect
if (protocol !== 'https' && !request.headers.get('host')?.includes('localhost')) {
url.protocol = 'https';
return NextResponse.redirect(url);
}
return NextResponse.next();
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};
Why this is trusted:
- Uses x-forwarded-proto standard header from proxies
- Excludes localhost avoids infinite loops in dev
- Uses NextResponse.redirect clean, standards-compliant
- Works with Vercel, Netlify, and self-hosted setups
Never rely on client-side redirects (e.g., window.location). Theyre easily bypassed and dont protect API routes.
9. A/B Test User Experience Based on Randomized Groups
Use Middleware to assign users to A/B test groups without requiring client-side JavaScript.
import { NextRequest, NextResponse } from 'next/server';
export function middleware(request: NextRequest) {
const userId = request.cookies.get('ab_test_group')?.value;
const path = request.nextUrl.pathname;
// Only apply to homepage
if (path !== '/') return NextResponse.next();
let group = userId;
// If no cookie, generate random group (1-3)
if (!group) {
const random = Math.floor(Math.random() * 3) + 1;
group = group_${random};
}
// Set cookie for 30 days
const response = NextResponse.next();
response.cookies.set('ab_test_group', group, {
maxAge: 60 * 60 * 24 * 30, // 30 days
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
});
// Rewrite path based on group
if (group === 'group_2') {
const url = new URL('/home-v2', request.url);
return NextResponse.rewrite(url);
}
if (group === 'group_3') {
const url = new URL('/home-v3', request.url);
return NextResponse.rewrite(url);
}
return response;
}
export const config = {
matcher: ['/'],
};
This pattern is trusted because:
- Assigns group on first visit consistent experience
- Uses HttpOnly cookies secure against XSS
- Doesnt rely on localStorage (which can be cleared)
- Supports multiple variants
Pair this with server-side analytics to measure conversion rates per group. Never expose group IDs in URLs keep them hidden to prevent manipulation.
10. Dynamic Locale Redirection Based on Accept-Language Header
For multilingual sites, automatically redirect users to their preferred language using the Accept-Language header.
import { NextRequest, NextResponse } from 'next/server';
const supportedLocales = ['en', 'es', 'fr', 'de', 'ja'];
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl;
// Skip if path already has locale prefix
if (supportedLocales.some(locale => pathname.startsWith(/${locale}))) {
return;
}
// Get preferred language from header
const acceptLanguage = request.headers.get('accept-language');
if (!acceptLanguage) return NextResponse.next();
// Parse and prioritize languages
const languages = acceptLanguage
.split(',')
.map(part => part.split(';')[0].trim())
.filter(lang => supportedLocales.includes(lang));
if (languages.length > 0) {
const preferredLocale = languages[0];
const url = new URL(/${preferredLocale}${pathname}, request.url);
url.search = request.nextUrl.search;
return NextResponse.redirect(url);
}
// Default to English
const url = new URL(/en${pathname}, request.url);
url.search = request.nextUrl.search;
return NextResponse.redirect(url);
}
export const config = {
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
};
Why this is trusted:
- Uses standard HTTP Accept-Language header
- Respects user preferences over server assumptions
- Supports fallback to default locale
- Doesnt interfere with static paths or API routes
Always test with browser language settings. Avoid forcing languages based on IP users may be traveling or using VPNs.
Comparison Table
| Use Case | Implementation Type | Performance Impact | Security Risk | Recommended For |
|---|---|---|---|---|
| Authentication Redirects | Cookie Validation | Low | Low (if token is HttpOnly) | All authenticated apps |
| Country Redirects | Cloudflare Header | None | None | Global e-commerce |
| URL Rewriting | Regex Pattern | Low | Medium (if pattern too broad) | SEO-heavy sites |
| Security Headers | Header Injection | None | Low (if CSP misconfigured) | All production sites |
| Analytics Logging | Fire-and-Forget Fetch | Negligible | Low (if PII collected) | Privacy-compliant analytics |
| Mobile Redirects | User-Agent Regex | Low | Low | Legacy UIs |
| Bot Blocking | User-Agent Filter | Low | Medium (if blocking legit bots) | APIs and admin panels |
| HTTPS Redirect | Protocol Check | None | None | All sites |
| A/B Testing | Cookie-Based Assignment | Low | Low (if group ID exposed) | Conversion optimization |
| Locale Redirection | Accept-Language Parse | Low | Low | Multilingual sites |
FAQs
Can Middleware slow down my Next.js app?
Middleware runs on the Edge Runtime and is optimized for speed. However, any external API call, heavy regex, or synchronous operation can introduce latency. Always avoid await on non-critical operations, use lightweight patterns, and test performance with tools like WebPageTest or Lighthouse.
Does Middleware work with static export?
Yes, but only for server-side rendered pages. Middleware does not run during static generation (getStaticProps) or on fully static pages. It only activates during client-side navigation or server-side rendering. If you use next export, Middleware will only apply to dynamic routes.
Can I use Node.js modules like fs or dotenv in Middleware?
No. Middleware runs on the Edge Runtime, which does not support Node.js core modules. Use environment variables via next.config.js or process.env, and avoid file system operations. Store configuration in environment variables or external services like Vercels secrets.
How do I test Middleware locally?
Use npm run dev or yarn dev. Middleware runs automatically during local development. To simulate headers (like cf-ipcountry or x-forwarded-proto), use browser dev tools or tools like curl: curl -H "cf-ipcountry: US" http://localhost:3000.
Whats the difference between Middleware and API routes?
Middleware runs before the request reaches your application logic its a filter. API routes are endpoints that respond to requests. Use Middleware for pre-processing (redirects, headers, auth), and API routes for data handling (CRUD, forms, webhooks).
Can I use Middleware with Next.js 13 App Router?
Yes. Middleware is fully compatible with the App Router. Place your middleware.ts file in the root directory (same level as app/). The matcher configuration works the same way use path patterns like /dashboard/:path*.
Is Middleware better than server-side rendering for authentication?
Yes for security. Server-side rendering checks auth in getServerSideProps, but Middleware blocks access before any component loads. This prevents flashes of unauthorized content and reduces attack surface.
Why is my Middleware not running?
Common causes: incorrect file name (middleware.js instead of middleware.ts), wrong matcher pattern, or placing it inside app/ instead of root. Ensure the file is named middleware.ts or middleware.js at the project root, and the matcher array targets the correct routes.
Can Middleware access the request body?
No. Middleware cannot read the request body. If you need to inspect POST data, use an API route instead. Middleware is designed for headers, cookies, and URL manipulation not payload processing.
How do I handle errors in Middleware?
Use try/catch blocks and return a NextResponse with an appropriate status code (e.g., 401, 403, 500). Never let unhandled exceptions crash the server Edge Runtime will log them, but your users should see a clean error page.
Conclusion
Middleware in Next.js is not a feature its a foundation. When used correctly, it transforms your application from a collection of components into a cohesive, secure, and high-performance system. The 10 methods outlined in this guide are not suggestions they are proven patterns adopted by teams building applications that serve millions of users daily.
Trust in Middleware comes from understanding its constraints: it runs on the edge, it must be fast, and it must never break the user experience. Every implementation here respects those principles. You now know how to secure routes, personalize content, block threats, and optimize performance all without touching your components.
Start with one use case perhaps authentication or security headers and build from there. As you gain confidence, layer in more advanced patterns like A/B testing or geolocation redirects. The goal isnt to use every technique at once, but to apply the right one at the right time.
Next.js continues to evolve, and Middleware is at the heart of its future. By mastering these trusted patterns, youre not just learning a framework youre adopting a modern web development philosophy: server-first, secure-by-default, and performance-obsessed. Use these techniques wisely, and your applications will stand out not just in functionality, but in reliability.
