Installation (Next.js 16)
Installation (Next.js 16)
Installation (Next.js 16)
In Next.js 16, middleware was renamed to proxy. The key differences are:
proxy.ts (or proxy.js) replaces middleware.ts.proxy (named export) or as the default export.The NextRequest and NextResponse APIs remain the same. The HUMAN Enforcer works identically in both conventions—the only difference is the file name and the export name.
middleware.ts is still supported in Next.js 16, but it is deprecated and will be removed in a future version. We recommend migrating to proxy.ts.
Integrate the HUMAN Enforcer into your NextJS project by setting it as a proxy in your project.
While only one proxy.ts file is supported per project, you can still organize your logic modularly. Placing the HUMAN Enforcer proxy first ensures that all incoming requests are evaluated for security threats before any other processing occurs. If you have additional logic, use the onPass and onResponse custom functions.
proxy.ts (or proxy.js if you’re using JavaScript) file to configure and set up the HUMAN proxy.px_app_id (your Application ID), px_cookie_secret (your cookie encryption key), and px_auth_token (your authentication token). Import and use the perimeterx function.You can also use a default export: export default perimeterx(pxConfig). Both forms are supported by Next.js 16.
To limit which routes the proxy (and thus the Enforcer) runs on, export a config object alongside the proxy:
See the Next.js proxy documentation for full matcher syntax.
Add implementation to the built-in onResponse and onPass custom functions in your configuration object, in order to execute your own logic after HUMAN verifies the request.
Define what to do when requests pass HUMAN enforcement.
This function allows modification of the response when HUMAN decides to return a custom response—for example, in case of block, static resources, etc.
In Next.js 16, the proxy runs on the Node.js runtime by default. In some deployment environments, request.ip may not be populated. The Enforcer automatically falls back to the x-forwarded-for header when request.ip is unavailable.
If you run behind a load balancer or reverse proxy and need accurate client IP resolution, configure px_ip_headers so the Enforcer knows which header(s) to use:
The headers are traversed in the order listed. The first header with a non-empty value is used as the client IP.
If you are upgrading an existing Next.js 14/15 application that already uses the HUMAN Enforcer via middleware.ts:
middleware.ts to proxy.ts.export const middleware = perimeterx(pxConfig) (or export default) to export const proxy = perimeterx(pxConfig) (or keep export default).onPass/onResponse handlers — they work exactly the same.Next.js also provides an automated codemod for the rename:
All configuration options from the Configuration page remain fully supported. No changes to Enforcer configuration are required when upgrading to Next.js 16.