Link to the code that reproduces this issue
https://codesandbox.io/p/devbox/eager-shirley-333t5w
To Reproduce
- Use Next.js version
16.2.0.
- Run a production build using Turbopack:
next build.
- Deploy the application behind an Nginx server or a WAF (Web Application Firewall) with standard security hardening rules (e.g.,
block_common_exploits.conf).
- Attempt to load the application.
- The browser console shows 403 Forbidden errors for static CSS and JS chunks.
Current vs. Expected behavior
Comparison of generated filenames:
| Version |
Filename Example |
Naming Strategy |
Status |
| 16.1.7 |
turbopack-01ca012029ca2e66.js |
Clean Hexadecimal |
PASS |
| 16.2.0 |
turbopack-0c3o1svijj_~~.js |
Reserved (~~) |
FAIL (403) |
| 16.2.0 |
0...f7~att2_2.js |
Reserved (... and ~) |
FAIL (403) |
| 16.2.0 |
0q~2copru0zy0.css |
Reserved (~) |
FAIL (403) |
Provide environment information
Operating System:
Platform: win32
Arch: x64
Version: Windows 11 Pro
Available memory (MB): 24284
Available CPU cores: 12
Binaries:
Node: 24.14.0
npm: 11.9.0
Yarn: N/A
pnpm: N/A
Relevant Packages:
next: 16.2.0
eslint-config-next: 16.2.0
react: 19.2.4
react-dom: 19.2.4
typescript: 5.9.3
Which area(s) are affected? (Select all that apply)
Turbopack
Which stage(s) are affected? (Select all that apply)
Other (Deployed)
Additional context
No response
Link to the code that reproduces this issue
https://codesandbox.io/p/devbox/eager-shirley-333t5w
To Reproduce
16.2.0.next build.block_common_exploits.conf).Current vs. Expected behavior
Comparison of generated filenames:
turbopack-01ca012029ca2e66.jsturbopack-0c3o1svijj_~~.js~~)0...f7~att2_2.js...and~)0q~2copru0zy0.css~)Provide environment information
Which area(s) are affected? (Select all that apply)
Turbopack
Which stage(s) are affected? (Select all that apply)
Other (Deployed)
Additional context
No response