Skip to content

Docs: Add authentication note for external/internal image sources #83469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 8, 2025
Merged

Docs: Add authentication note for external/internal image sources #83469

merged 7 commits into from
Sep 8, 2025

Conversation

pontasan
Copy link
Contributor

@pontasan pontasan commented Sep 5, 2025

Summary
This PR adds a note to the documentation clarifying the behavior when using external or internal URLs (API Routes) as image sources with Next.js Image Optimization.
This change addresses issue #82610.

Details

  • Added a note explaining that, for security reasons, request headers are not forwarded to API Routes or external URLs when Image Optimization is used.
  • Documented that if image data requires authentication, the unoptimized property should be considered to disable Image Optimization.

Why
Users may be confused when trying to load images from endpoints that require authentication. This clarification helps developers understand the limitation and how to handle such cases.

References

resolves #82610

@ijjk ijjk added the Documentation Related to Next.js' official documentation. label Sep 5, 2025
@ijjk
Copy link
Member

ijjk commented Sep 5, 2025
edited by styfle
Loading

Allow CI Workflow Run

  • approve CI run for commit: 82adc2b

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

@pontasan pontasan mentioned this pull request Sep 5, 2025
Closed
@DabirRahmani
Copy link

thanks for referencing my issue (#82703).
just to clarify, the case I'm experiencing is different from the scenarios described in this PR. my issue doesn't involve authentication headers or the unoptimized property.

@pontasan
Copy link
Contributor Author

pontasan commented Sep 6, 2025

thanks for referencing my issue (#82703). just to clarify, the case I'm experiencing is different from the scenarios described in this PR. my issue doesn't involve authentication headers or the unoptimized property.

Thank you for pointing that out.
I was referring to it since I found the following description related to this matter.

The patch from #82114 was fixing a security vulnerability. It was a bug that headers were ever forwarded so we removed them. I do not recommend adding it back or else your app could expose private images to unauthorized users.

See GHSA-g5qg-72qw-gw5v

I’d like to emphasize once again that this PR is meant to address issue #82610.

icyJoseph
icyJoseph reviewed Sep 8, 2025
View reviewed changes
@pontasan @icyJoseph
Update docs/01-app/03-api-reference/02-components/image.mdx
82adc2b 
Sorry, and thank you for pointing that out.
I prefer the latter that explicitly mentions internal URLs, since the intention is to make the restrictions and behavior clearer to developers.

Co-authored-by: Joseph <[email protected]>
styfle
styfle reviewed Sep 8, 2025
View reviewed changes
styfle
styfle reviewed Sep 8, 2025
View reviewed changes
styfle
styfle approved these changes Sep 8, 2025
View reviewed changes
Copy link
Member

@styfle styfle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I pushed a couple suggestions 👍

@styfle styfle enabled auto-merge (squash) September 8, 2025 14:44
@styfle styfle merged commit 90c5a66 into vercel:canary Sep 8, 2025
66 checks passed
@pontasan
Copy link
Contributor Author

pontasan commented Sep 8, 2025

Thank you for accepting my PR.
I really appreciate everyone’s generous support and guidance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icyJoseph icyJoseph icyJoseph left review comments

@styfle styfle styfle approved these changes

Assignees
No one assigned
Labels
Documentation Related to Next.js' official documentation.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Regression] Image optimizer fails to serve images on routes requiring autorization
5 participants
@pontasan @ijjk @DabirRahmani @styfle @icyJoseph