Next.js 16 introduces three key changes for security: renaming middleware.ts to proxy.ts to clarify its role as lightweight routing logic, making components dynamic by default with opt-in caching to prevent accidental data leaks, and adding the updateTag() API for immediate cache invalidation after permission changes. These updates establish clearer boundaries between edge-layer traffic control and downstream authentication logic, reduce risks of serving stale authorized content, and ensure permission changes take effect instantly through read-your-writes semantics.
Table of contents
Clarifying the Network Boundary with proxy.tsCache Components and Dynamic by DefaultServer Actions and updateTag()Next.js 16 Makes Authentication and Authorization Boundaries ClearSort: