War Story: Our Next.js 16 App Was Hit by a CSRF Attack via a Missing Middleware It was 2 AM on a Tuesday when our on-call engineer pinged the team Slack: “We’re seeing a spike in unauthorized project deletions and settings changes. User sessions are valid, but the requests don’t match user behavior.” We had just launched our Next.js 16 project management SaaS two weeks prior, and this was our first major incident. None of us expected the root cause to be a missing 10-line middleware file. The Setup: Our Next.js 16 Stack We built the app using Next.js 16’s App Router, with NextAuth.js v5 for authentication, Prisma as our ORM, and Vercel for hosting. We followed most security best practices: hashed passwords, rate limiting on auth endpoints, input validation on all API routes. But in a pre-launch refactor, we stripped out our custom CSRF middleware to debug a conflicting cookie issue, and never added it back.…