<Image> (Remote)
Securing external image optimization.
External Images
Unlike local images, Next.js cannot inspect remote images (like those from an S3 bucket or CMS) during the build process.
This introduces two strict requirements: you must explicitly define the image's dimensions, and you must whitelist the remote domain.
The Security Risk
Image optimization is an expensive server-side process.
If Next.js allowed any external URL, attackers could abuse your server by repeatedly requesting optimizations for massive, malicious, or external third-party images.
To prevent this Server-Side Request Forgery (SSRF) and resource exhaustion, Next.js blocks all external images by default.
Remote Patterns
To allow an external image, you must whitelist its domain in your next.config.js file using remotePatterns.
js
// next.config.js
module.exports = {
images: {
remotePatterns: [{ hostname: 'my-cms.com' }],
},
}
Because Next.js cannot inspect the file at build time, you must also provide explicit width and height props to prevent Cumulative Layout Shift.
The Security Barrier
Watch how the Next.js Optimization Server intercepts external requests. If the domain isn't whitelisted in the configuration, the server drops the request to protect itself.
Optimizer
Check yourself
Pick an answer to lock it in, then read why. Getting one wrong is part of how it sticks.
Remember this
- Remote images require explicit
widthandheightprops to prevent layout shift. - You must whitelist external domains in
next.config.jsusingremotePatterns. - This restriction exists to protect your server from malicious abuse and resource exhaustion.
Done with this concept?
Mark it complete to track your progress. No login needed.