My Next.js application is failing in production due to a false positive from the Network Application Firewall (NAW). I’m seeing the following error in my logs when the client makes normal Next.js App Router requests (RSC / Server Actions / API POSTs):
[PU02] could not complete HTTP request to instance: error from user's HttpBody stream: blocked by NAW: rsc_resolved_model_injection
This causes requests to hang indefinitely (stuck “pending” in the browser) with 0 bytes returned to the client.
I also saw a very similar report on the Fly community forum where NAW blocked legitimate Next.js RSC internals with rsc_flight_chunk_reference, and a Fly staff member mentioned an experimental Next.js exploit blocker rollout that was rolled back due to false positives. This looks like the same class of issue, but with a different NAW rule name (rsc_resolved_model_injection / also previously rsc_prototype_pollution_constructor).
I’m on a plan that does not show a “Security” / “Firewall” tab in the dashboard, so I can’t disable/relax NAW myself.
My questions:
Is there a self-serve NAW toggle / “monitor mode” / allowlist I can enable via fly.toml or the CLI for my app?
If not, can a Fly staff member please disable NAW (or set it to monitor mode) for my app (image-poster), given these are confirmed false positives blocking production traffic?
Could you clarify what NAW is? My only search result for “blocked by NAW: rsc_resolved_model_injection” was this forum thread
NAW = Fly.io’s Network Application Firewall (their edge/WAF layer). It can block requests based on security rules/signatures; in this case it’s blocking legitimate Next.js RSC / Server Actions traffic and the client sees the request hang pending with 0 bytes.
error.message="could not complete HTTP request to instance: error from user's HttpBody stream: blocked by NAW: rsc_internal_object_spoofing" 2025-12-30T21:22:40Z proxy[e829457b7104e8] lhr error.message="could not complete HTTP request to instance: error from user's HttpBody stream: blocked by NAW: rsc_resolved_model_injection" 2025-12-30T21:19:00Z proxy ewr
So it’s not just rsc_resolved_model_injection — we’re now seeing rsc_internal_object_spoofing too. App requests hang pending with 0 bytes when these trigger.
Is there a self‑serve NAW disable/monitor toggle for non‑paid accounts, or can staff disable/monitor NAW for app image-poster?
I wonder if the NAW is undocumented. I’m no Fly expert (just another customer, using a few Fly bits and pieces). I would hazard a guess that NAW was dropped in to handle the Next.js security issue specifically; I seem to recall that was a high risk vulnerability.
I’ve no doubt you’ll get a response from a staff member for this. It feels like it’s in “should never happen” territory
Thanks for flagging this! We’ve rolled out a fix for you here, so you should be all set now. Please let us know if you’re still having problems with the app!
Thanks — I’m still seeing NAW blocks after the fix:
blocked by NAW: rsc_resolved_model_injection (proxy cdg) blocked by NAW: rsc_prototype_pollution_constructor (proxy lhr) blocked by NAW: rsc_internal_object_spoofing (proxy lhr)
These are edge‑level blocks before the app receives the request. Can you confirm NAW is disabled/monitor‑only for app image-poster across all edge regions, or apply an allowlist for Next.js RSC traffic?
Hey Eli! Just wanted to jump in to say that unless the tweak was specific to the user above, the fix isn’t working. I’m still seeing those errors in my Umami deployment (another Next.js app) as recent as 4h ago:
20:57:00 [PU02] could not complete HTTP request to instance: error from user's HttpBody stream: blocked by NAW: rsc_exploit_attempt
You will see blocked requests appear in your application logs, these blocked requests are known exploits. We don’t currently have an option to disable this, but the tweaking we have done is to ensure we’re not blocking any false positives.
If that error log lines up with a request (that you’re able to share) that should not be blocked, we can take a look. But the log on its own is expected as a lot of exploits and scanners are hitting things en masse.
