A few days ago, I watched an eye-opening video by Hitesh Choudhary on his channel Chai Aur Code about the latest Next.js update — and it got me thinking.
He mentioned that Next.js Middleware is being deprecated, with the framework shifting toward Proxy routes/files instead.
That caught my attention — because Middleware has been such a core part of how many of us handle authentication, logging, and redirects in our Next.js apps.
So… is Middleware really going away? Or is this just another evolution in how Next.js handles requests at the Edge?
Let’s unpack what’s really happening 👇
⚙️ What’s Actually Happening
After digging into the Next.js docs, Vercel blog posts, and several GitHub discussions, here’s the full picture:
- Middleware still exists — but it’s evolving
As of Next.js 15.5, Middleware (middleware.ts or middleware.js) is still supported and officially documented.
It continues to handle rewrites, redirects, and lightweight request transformations.
However, recent Next.js releases are tightening how and when Middleware runs — especially on the Edge Runtime.
That means fewer full-Node APIs, and more limitations around headers, streaming, and WebSockets.
- There was a major security issue (CVE-2025-29927)
In early 2025, a critical vulnerability was discovered — known as CVE-2025-29927.
It allowed attackers to bypass Middleware-based authentication using a specially crafted header (x-middleware-subrequest).
This triggered a huge response from the Vercel team, who patched the issue across multiple versions (Next.js 12 → 15).
🔗 Vercel Postmortem on Middleware Bypass
🔗 Security Analysis from ProjectDiscovery
The takeaway?
Vercel now explicitly recommends not relying solely on Middleware for security or authentication.
Middleware should be used only for light interception — not as your main guard.
- The “Proxy” concept is the new direction
Many developers noticed that the Next.js team and community are pushing a migration toward Proxy files.
This isn’t a literal “replacement” yet — but it’s a shift in philosophy.
Where Middleware acted globally, Proxy routes handle requests closer to the endpoint level.
They make intent clearer (forwarding / modifying requests) and are easier to reason about for Edge deployments.
Example of a rewrite proxy pattern:
// next.config.js
module.exports = {
async rewrites() {
return [
{
source: '/api/:path*',
destination: 'https://external-api.com/:path*',
},
]
},
}
This keeps API logic inside your route handlers, and avoids putting critical auth logic in Middleware.
- The “middleware → proxy” migration isn’t mandatory (yet)
There’s no official announcement that Middleware will be removed in a specific Next.js version.
The Next.js 15.5 release notes even mention that the Node.js Middleware runtime is now stable — which implies continued support.
Still, there are deprecation warnings and new best practices being introduced in preparation for Next.js 16.
So think of it this way:
Middleware isn’t being killed — it’s being refocused.
It’s now meant for rewrites, redirects, and edge-side routing, not business logic or authentication.
🔮 What to Expect Going Forward
Based on the current trajectory and official communication:
🟩 Middleware will stay — but with stricter constraints and reduced responsibility
🟦 Proxy patterns will become the recommended approach for API interception and request forwarding
🟨 Authentication should move closer to API routes or server actions
🟥 Using Middleware for complex logic or sensitive security checks is now discouraged
In short: the future of Middleware is lighter, safer, and more focused.
🧠 My Take
This change actually makes sense.
When Middleware was introduced, it promised flexibility — but with Edge runtimes, some behaviors became inconsistent.
A “Proxy-first” design helps avoid those pitfalls, making your app more predictable across different environments.
If you’re maintaining an older Next.js project:
Keep Middleware for routing, rewrites, or caching logic.
Move security and heavy logic to API routes or route handlers.
Test everything on Edge deployments before shipping.
💬 Discussion: Middleware vs Proxy
I’d love to hear from other developers:
Have you migrated from Middleware to Proxy yet?
Did you see any performance or reliability improvements?
Are you still using Middleware for auth, or moving logic into your routes?
Drop your thoughts below 👇
Let’s learn from each other’s experiences — before this migration becomes the new standard 🚀
Top comments (1)
Great read. Thanks for sharing. Will dig deeper into this in the docs.