A developer's LinkedIn post about Next.js usage sparked a heated debate across web development communities. The core argument is that many teams claim to build full-stack applications with the framework but actually push all data fetching to the client. This pattern essentially reduces Next.js to a routing layer, exposing external APIs directly to the browser.

This approach bypasses Next.js's core server-side capabilities, which are designed to hide secrets and external services behind controlled endpoints. By calling APIs directly from the browser, developers create unnecessary attack surfaces and potential security leaks. The author contends this misuse forfeits both the performance benefits and the security safeguards the framework provides.

For web-only applications already using Next.js, this method undermines the framework's value. While Express.js remains suitable for large, multi-client APIs, using Next.js as a simple client-side router misses its purpose. Proper implementation keeps backend logic and sensitive operations on the server, maintaining control and reducing exposure for a more secure, efficient application.