nextjs - 💡(How to fix) Fix Turbopack production build generates chunk filenames with multiple dots that trigger WAF 403 responses

Link to the code that reproduces this issue

https://turbopack-waf-repro-production.up.railway.app/

To Reproduce

1. Create a Next.js 16 app
2. Build with next build --turbopack
3. Deploy behind a reverse proxy or WAF with standard security rules (e.g., ModSecurity, AWS WAF, Cloudflare, Azure Front Door)
4. Load any page in the browser

Current vs. Expected behavior

Current: Turbopack generates chunk filenames with multiple dots, such as:

• 0od.e4.nsryo4.js (3 dots)
• 05i_ndlbxx.jt.js (2 dots)
• 0n.64z2vyhogj.js (2 dots)

Filenames with 3+ dots (like 0od.e4.nsryo4.js) are interpreted by standard WAF rules as "multiple file extension" patterns (a common attack vector like shell.php.jpg) and are blocked with 403 Forbidden responses. This causes ChunkLoadError at runtime:

GET https://example.com/_next/static/chunks/0od.e4.nsryo4.js net::ERR_ABORTED 403 (Forbidden)
ChunkLoadError: Failed to load chunk /_next/static/chunks/0od.e4.nsryo4.js from module 255759

Expected: Chunk filenames should use URL-safe, WAF-friendly patterns that do not contain multiple dots before the .js extension. Webpack-based builds (next build without --turbopack) generate names like chunks/framework-abc123.js which do not trigger these rules.

Provide environment information

- Next.js: 16.2.6
- Node.js: 24.x
- Build command: `next build --turbopack`
- Output mode: `standalone`
- Deployment: Docker container behind a reverse proxy with standard security rules

Which area(s) are affected? (Select all that apply)

Webpack, Turbopack

Which stage(s) are affected? (Select all that apply)

Other (Deployed)

Additional context

Additional context

Verification: We tested all chunks referenced in our page HTML:

• Chunks with 1-2 dots → 200 OK
• Chunk with 3 dots (0od.e4.nsryo4.js) → 403 Forbidden

This only affects production deployments behind a WAF/reverse proxy. Local development with next dev --turbopack works fine because files are served directly without proxy interception.

Workaround: Removing --turbopack from the build command resolves the issue since webpack generates filenames without multiple dots.

Suggested fix: The Turbopack chunk naming algorithm should avoid generating filenames with more than one dot before the file extension (i.e., max pattern: chunkname.js, not chunk.name.hash.js). Alternatively, use hyphens or underscores instead of dots as separators in chunk IDs.