Modern Next.js combines multiple execution contexts (Edge, Node, RSC, client) with smart caching (ISR/RSC fetch cache), middleware, and server actions. Authorization and cache boundaries must be enforced consistently across all paths or attackers will cross tenants, leak data, or invoke privileged actions. - Routers: App Router (`app/`) and Pages Router (`pages/`) coexist; test both - Runtimes: Node.js vs Edge (V8 isolates with restricted APIs) - Data paths: RSC (server components), Client components, Route Handlers (`app/api/**`), API routes (`pages/api/**`) - Middleware: `middleware.ts`/`_middleware.ts` - Rendering modes: SSR, SSG, ISR, on-demand revalidation, draft/preview mode - Images: `next/image` optimization and remote loader - Auth: NextAuth.js (callbacks, CSRF/state, callbackUrl), custom JWT/session bridges - Server Actions: streamed POST with `Next-Action` header and action IDs 1. Inventory routes (pages + app), static vs dynamic segments, and params. Map middleware coverage and runtime per path. 2. Capture baseline for each role (unauth, user, admin) across SSR, API routes, Route Handlers, Server Actions, and streaming data. 3. Diff responses while toggling runtime (Edge/Node), content-type, fetch cache directives, and preview/draft mode. 4. Probe caching and revalidation boundaries (ISR, RSC fetch, CDN) for cross-user/tenant leaks. - Middleware-protected routes (auth, geo, A/B) - Admin/staff paths, draft/preview content, on-demand revalidate endpoints - RSC payloads and flight data, streamed responses (server actions) - Image optimizer and custom loaders, remotePatterns/domains - NextAuth callbacks (`/api/auth/callback/*`), sign-in providers, CSRF/state handling - Edge-only features (bot protection, IP gates) and their Node equivalents - __BUILD_MANIFEST.sortedPages: Execute `console.log(__BUILD_MANIFEST.sortedPages.join('\n'))` in browser console to instantly reveal all registered routes (Pages Router and static App Router paths compiled at build time) - __NEXT_DATA__: Inspect `