Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lintliot.com/llms.txt

Use this file to discover all available pages before exploring further.

The Next.js adapter runs inside Next.js middleware, which means LintLiot intercepts every request at the Edge — before routing, before server components, and before API route handlers. You get WAF protection, bot detection, rate limiting, and anomaly detection with zero changes to your page or API code.

Prerequisites

  • Next.js 13.4 or later with the App Router enabled.
  • @lintliot/sdk installed. See Install the LintLiot SDK.
  • LINTLIOT_API_KEY set in your environment.

Set up middleware

Create or update middleware.ts at the root of your project (the same level as app/):
middleware.ts
import { withLintliot } from '@lintliot/sdk/next'

export default withLintliot({
  apiKey: process.env.LINTLIOT_API_KEY!,
})

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
}
The matcher pattern above protects every route while excluding Next.js internals and static assets. Adjust it to match your routing needs.
withLintliot returns a standard Next.js middleware function. You can chain it with other middleware libraries that accept the same signature.

How it works

When a request arrives, withLintliot runs these checks in order — all before your app code executes:
  1. IP intelligence — checks against the global LintLiot blocklist and your per-app rules.
  2. Bot detection — scores the request across 12 browser fingerprint signals.
  3. WAF — matches against 150+ patterns covering SQLi, XSS, SSRF, path traversal, and more.
  4. Rate limiting — enforces baseline-relative or configured request limits per IP.
  5. Permission check — optionally verifies the authenticated user has a required permission.
  6. Anomaly detection — flags traffic that deviates from your app’s learned behavioral baseline.
  7. Route sensitivity — applies automatic extra protection to admin, payment, export, and other sensitive route patterns.
Blocked requests receive a 403 or 429 JSON response. Allowed requests pass through to NextResponse.next() with security headers attached.

Protect specific routes only

To limit protection to API routes, update the matcher:
middleware.ts
export const config = {
  matcher: ['/api/:path*'],
}
To protect API routes and all authenticated pages:
middleware.ts
export const config = {
  matcher: ['/api/:path*', '/dashboard/:path*', '/account/:path*'],
}

Configure rate limits and WAF mode

Pass a protect object to customize protection options:
middleware.ts
import { withLintliot } from '@lintliot/sdk/next'

export default withLintliot({
  apiKey: process.env.LINTLIOT_API_KEY!,
  protect: {
    rateLimit: { max: 100, windowMs: 60_000 },
    waf: 'block',
    botDetection: true,
  },
  headers: true,
})

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
}
Setting headers: true injects security headers — CSP, HSTS, X-Frame-Options, Referrer-Policy, and others — into every passing response.

Protect individual route handlers

For fine-grained permission checks on a specific API route, use protectRoute:
app/api/admin/users/route.ts
import { protectRoute } from '@lintliot/sdk/next'
import { NextRequest } from 'next/server'

async function handler(req: NextRequest) {
  return Response.json({ users: [] })
}

export const GET = protectRoute(handler, { require: 'admin:read' })
protectRoute extracts the user ID from the request headers (supporting Clerk, NextAuth, and Supabase conventions) and checks the permission against LintLiot IAM before calling your handler. Unauthenticated requests receive 401; unauthorized requests receive 403.

Skip specific paths

To exclude routes from protection — such as health checks — use skipRoutes:
middleware.ts
import { withLintliot } from '@lintliot/sdk/next'

export default withLintliot({
  apiKey: process.env.LINTLIOT_API_KEY!,
  protect: {
    skipRoutes: ['/health', '/ping'],
  },
})

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
}

Environment variable setup

.env.local
LINTLIOT_API_KEY=lintliot_your_key_here
Next.js exposes environment variables to middleware when they do not have the NEXT_PUBLIC_ prefix, so LINTLIOT_API_KEY stays server-only.

Edge runtime compatibility

The Next.js adapter is fully compatible with the Edge Runtime. It uses only Web-standard APIs (fetch, Request, Response, Headers) and does not import any Node.js built-ins. You can deploy to Vercel Edge Functions, Cloudflare Pages, or any Edge-compatible environment without additional configuration.
Because the adapter initializes subsystems at module load time (not per-request), warm serverless instances reuse the same WAF engine and rules cache. Cold starts incur a one-time rules sync that completes in the background and does not block the first request.