A month ago, I published a post on LinkedIn with this exact title.
It caught a lot of developers’ attention. More than I expected.
And even found it's way to a reddit group with over 500 upvotes, and arguments among developers: https://www.reddit.com/r/webdev/comments/1pqrqfv/i_guess_ive_been_using_nextjs_the_wrong_way/
This is the post below:
Most People Don’t Actually Use Next.js as a Backend. It’s a pattern I keep seeing over and over.
People say they use Next.js for full-stack projects, but when you look closer, all data fetching happens on the client, and every request goes straight from the browser to some external API. No server logic. No backend responsibility. No real use of the framework.
At that point, you’re not really using Next.js. You’re just using React with better routing. When your frontend calls external services directly, you’re exposing API endpoints, request patterns and sometimes even secrets through environment leaks or misconfigurations. Next.js exists to prevent this. It lets your app act as the backend. External services stay hidden behind server routes, secrets never touch the browser, and users only interact with your controlled endpoints. No direct exposure. No unnecessary attack surface.
Express still makes sense for large, shared, multi-client APIs.
But if your app is web-only and you already chose Next.js, using it like CRA defeats both security and simplicity.
If your Next.js app exposes external APIs directly to the client, you’re not using the framework properly. You’re leaving security, performance, and control on the table.
Use the right tool.
And more importantly, use it correctly👍.
LinkedIn post: https://www.linkedin.com/in/kenneth-nnabuife-a7a63812a
Top comments (0)