FRONT004warningPro

nextjs-redirect-request-url

Redirect uses request.url as URL base, which is wrong behind a reverse proxy.

Applies to: JavaScript, TypeScript

Why this matters

When a Next.js app runs behind a reverse proxy, load balancer, or in Docker, request.url contains the internal hostname (e.g., http://localhost:3000). Using it as the base for new URL() in redirects sends users to the internal host instead of your public domain. Use process.env.NEXT_PUBLIC_APP_URL or a similar env var as the base URL instead.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, FRONT004 includedstablestack explain FRONT004

FRONT004 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: FRONT004