Zenn (JP): https://zenn.dev/mintototo1/articles/buildlog-2026-05-22-legacy-route-leak
Today, while poking around in the code, I hit an old route that was still live.
The HTML response had my company name and my real name sitting right there in plain text.
So much for staying anonymous.
When did this start leaking?
I checked git log — the route was added over 3 weeks ago. It has been public ever since. I have no idea if search engines crawled it. Honestly I am too scared to check.
How I fixed it
I grepped the Next.js app/ directory to find any leftover route files for the old path.
grep -r "old-route-name" app/ --include="*.tsx" --include="*.ts" -l
Found the files, identified which ones were externally reachable, deleted the route.ts files, and replaced them with a simple 404 stub.
// replacement for the old route.ts
export async function GET() {
return new Response(null, { status: 404 });
}
I did not use a redirect for a reason. A 301/302 tells the outside world that the path exists. A 404 is indistinguishable from a path that never existed.
The real problem
The bigger issue is how I found this. I only noticed because I happened to click the URL by hand. Without a system, I will miss the next one too.
I plan to add a grep to the pre-deploy hook.
# not written yet
grep -rE "forbidden-term-1|forbidden-term-2" app/ public/ --include="*.tsx" --include="*.ts" --include="*.html"
I fixed today's problem and told myself that was enough. The script is still sitting in a backlog.
Top comments (0)