May 2026 Summaries
15 posts from Strapi
Filter
Month:
Year:
Post Summaries
Back to Blog
This tutorial explores building a B2B wholesale catalog using Strapi 5 and Next.js 16, offering a more efficient approach to managing login-gated catalogs with per-customer pricing tiers. It suggests creating a backend with Strapi 5 to store products with multiple tier prices and a frontend with Next.js 16 App Router to manage authentication, server-side catalog rendering, and a quote request flow, replacing the traditional cart checkout. The architecture divides responsibilities between Strapi 5, which manages access control and tier-to-price logic, and Next.js 16, which handles rendering and buyer sessions. The guide emphasizes the importance of modeling data correctly in Strapi, using a custom policy and controller overrides to ensure buyers see only the prices relevant to their tier. It also discusses setting up a server action for handling JWT-based authentication and using React Context for managing cart state in the frontend. The tutorial concludes by suggesting additional features such as order history and CRM integration to enhance the catalog's functionality.
May 28, 2026
4,765 words in the original blog post.
The Strapi MCP server, now available in Beta, addresses the challenge of bridging AI-native products with content backends by enabling seamless interaction between Strapi-managed content and AI agents. This integration allows teams to wire agents, such as Claude Desktop and OpenAI, to a self-hosted Strapi v5 instance using the MCP standard, offering functionalities such as CRUD operations and content management through generated tools based on user schemas. With support for features like filtering, sorting, and i18n locales, the server is aimed at providing fine-grained access control via Admin tokens, ensuring that agent interactions are precisely scoped. The Beta release encourages community feedback to refine and prioritize features before the general availability (GA) release, with users able to share their experiences and suggestions through GitHub and Discord. This collaborative development process, driven by real-world implementations, will shape the final offering, enhancing the plugin ecosystem and promoting seamless AI-content integration.
May 28, 2026
972 words in the original blog post.
The tutorial provides a step-by-step guide on building a prototype banking dashboard using Strapi 5 and Next.js 16, emphasizing the ease of creating a frontend interface to visualize banking data, an admin panel to manage data, and an API for data connectivity. Strapi simplifies the development process by automatically generating an admin panel and REST API from user-defined data models, allowing developers to focus on the frontend aspects like layout and user experience. The tutorial walks through creating content types for accounts, transactions, and cards, and setting up relations between them using Strapi's Content-Type Builder. It then guides on configuring API access, seeding sample data, and developing the Next.js frontend to fetch and display data using server-side rendering and client-side interactive components with Recharts for data visualization. The guide concludes with suggestions for further development, such as adding authentication and deploying the application for production use, while noting that the prototype is mainly for learning and demonstration purposes, not for creating secure, production-ready banking systems.
May 28, 2026
3,726 words in the original blog post.
The tutorial details the process of building a coupons and deals website using Strapi 5 as the backend and Next.js 16 as the frontend. It emphasizes the importance of maintaining fresh content for user satisfaction and explains how to model stores, deals, and categories using Strapi's Content-Type Builder. The site utilizes Strapi's REST API and the qs library for data fetching, while Next.js handles rendering with Server Components and Incremental Static Regeneration (ISR) for frequent updates without full rebuilds. The tutorial skips over authentication and payment functionalities, focusing on setting up the core site structure, including deal listings, category filters, and individual deal pages with coupon code reveals. It also covers the technical setup of the development environment, including Node.js, npm, and configuration files, and outlines strategies for keeping the site content fresh through ISR and potential webhook-triggered on-demand revalidation. The explanation provides insights into deploying the site with production-ready practices, such as switching from SQLite to PostgreSQL and securing API endpoints, while also suggesting further enhancements like affiliate tracking and user management.
May 28, 2026
4,126 words in the original blog post.
The tutorial provides a detailed guide on building a full-stack travel itinerary planner using Strapi 5 for the backend and Next.js 16 for the frontend, demonstrating how to handle hierarchical content structures that include trips, days, and activities. It highlights the use of Strapi's Content-type Builder to model nested components such as Day and Activity, allowing for editable content through the Strapi Admin Panel. The frontend, powered by Next.js 16, fetches data via Strapi's REST API and renders trips on an index page and detailed day-by-day views using dynamic routes. The tutorial emphasizes efficient data fetching strategies, including the use of populate queries and caching mechanisms, to optimize performance. It also discusses deployment options, common issues, and possible extensions like authentication, map views, and webhook-driven revalidation to enhance the planner's functionality. The approach outlined is suitable for production use and offers a scalable and flexible solution for managing travel content.
May 28, 2026
4,149 words in the original blog post.
The tutorial provides a comprehensive guide for building a subscription billing application using Strapi 5 as a headless CMS, along with Stripe and Polar for payment processing and compliance, respectively. It addresses the complexity of managing subscription billing across multiple providers by modeling subscription plans in Strapi, integrating Stripe for direct payment processing, and using Polar for tax compliance and billing infrastructure. The guide details the creation of custom routes and controllers to manage checkout flows, verify webhook signatures, and maintain subscription state synchronization across systems. Strapi serves as the single source of truth for plan metadata, while Stripe and Polar provide complementary roles in the billing stack. The integration involves configuring API permissions, setting up payment provider accounts, and ensuring the correct handling of webhooks to update subscription records. The tutorial emphasizes the importance of idempotency in webhook processing and offers strategies for testing the full billing flow, including using test cards and webhook tunneling for local development. Overall, it presents a robust framework for establishing a scalable and efficient subscription billing system.
May 27, 2026
3,591 words in the original blog post.
In an effort to consolidate and streamline the hiring process, this guide provides a detailed tutorial on building an Applicant Tracking System (ATS) using Strapi 5 as a backend and Next.js 16 as a frontend framework. The ATS allows for complete ownership and customization of the data model, avoiding per-seat fees as the team grows, and enables features such as job postings, candidate applications, and a status-tracking pipeline. The tutorial covers setting up Strapi as a headless CMS for content modeling, storage, and API generation, while Next.js is used to render the job board and application forms. It explains how to model data with relational fields, create a public job board, and track candidate progress through various hiring stages using enumeration fields and filtered API queries. The project includes instructions for setting up the tech stack, configuring API permissions, and deploying a full-stack ATS. By leveraging Strapi’s content-type builder, flat response format, and documentId strings, the tutorial demonstrates how to build a scalable and extensible ATS that supports REST API filters and controlled access through the Users and Permissions plugin.
May 27, 2026
3,924 words in the original blog post.
A comprehensive guide outlines the process of building an affiliate marketing tracker using Strapi 5 and Next.js 16, offering an alternative to costly third-party platforms by creating a self-hosted solution. The guide details how Strapi 5 manages affiliate partners, links, and click events through its REST API, while Next.js renders a real-time dashboard for performance data. The tutorial involves setting up a Strapi backend to define data structures and relationships using Collection Types and creating a custom controller for click logging and redirection. It also describes configuring the Next.js frontend to fetch and display affiliate data using server components, with added functionalities like filtering by date range and partner. The document emphasizes the benefits of Strapi's Content-Type Builder, Document Service API, and auto-generated REST endpoints in simplifying backend operations and highlights the scalability considerations for production deployment.
May 27, 2026
3,809 words in the original blog post.
The tutorial provides a comprehensive guide for setting up modern authentication flows using Strapi v5 and Next.js through the Better Auth plugins, which offer alternatives to the default users-permissions plugin. This setup involves replacing the existing users-permissions plugin with three community plugins that handle authentication flows, API role-based access control, and an admin dashboard for user management. The guide walks through the process of removing the existing plugin, installing the new plugins, configuring them through a central auth.ts file, and setting up the frontend using the Better Auth client SDK. It emphasizes the benefits of this setup, such as improved admin user management, support for social logins, two-factor authentication, and magic links, while cautioning that these plugins are still in pre-release and not recommended for production use. The tutorial also addresses common troubleshooting issues and provides resources for further development and feedback.
May 21, 2026
6,093 words in the original blog post.
CVE-2026-44578 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting self-hosted Next.js versions 13.4.13 through 15.5.15 and 16.0.0 through 16.2.4, allowing attackers to access internal services via the WebSocket upgrade handler. This flaw, patched by Vercel on May 11, 2026, is not present in Vercel-hosted apps but poses a significant risk to self-hosted environments, especially those lacking a reverse proxy. The vulnerability exploits a routing asymmetry where the WebSocket upgrade handler neglects certain safety checks, enabling crafted GET requests to reach internal services, including AWS Instance Metadata Service (IMDS). To mitigate the risk, affected deployments should upgrade to Next.js 15.5.18 or 16.2.6, employ reverse proxy defenses, and enforce IMDSv2 to prevent unauthorized metadata access. The vulnerability highlights the importance of scrutinizing framework-level request handling alongside application code to ensure comprehensive security, especially in setups where a Next.js frontend interfaces with a backend CMS like Strapi.
May 20, 2026
2,666 words in the original blog post.
In an AI SaaS development context, Strapi, an open-source headless CMS, provides a robust backend solution that allows developers to maintain control over essential components like data models, authentication, and permissions, which are crucial for preventing issues such as data leaks or improper billing processes. The integration of Strapi with Next.js facilitates the creation of dynamic applications featuring chat, image, and video generation capabilities without the need to continuously rewrite infrastructure. By employing backend patterns such as streaming responses for chat, maintaining a gallery for image generation, and using polling for video generation, developers can create scalable and reliable applications that can adapt to changing frontend needs. Strapi's flexibility in serving multiple consumers through its API, regardless of the frontend technology used, allows for easy integration of AI while maintaining backend stability, thereby ensuring that the rapid evolution of AI capabilities does not compromise the application's foundational integrity.
May 18, 2026
1,766 words in the original blog post.
Strapi has publicly disclosed and patched five significant security vulnerabilities in its software, thanks to contributions from its community and internal security team. These vulnerabilities include a rate limit bypass on authentication routes (CVE-2025-64526), an SQL injection in the Content-Type Builder (CVE-2026-22599), failure to revoke existing refresh sessions upon password resets (CVE-2026-22706), MIME validation bypass in the Upload plugin (CVE-2026-22707), and a sensitive data leak via relational filtering (CVE-2026-27886). To mitigate these issues, users are advised to update their Strapi installations to specific newer versions. The company emphasizes its commitment to responsible disclosure by coordinating with reporting researchers before public announcements and urges the community to report any new vulnerabilities responsibly. Strapi has also highlighted the challenges posed by an increase in AI-assisted vulnerability report submissions, noting that many reports are invalid, which has impacted their triage timelines.
May 13, 2026
2,241 words in the original blog post.
Organizations running Strapi in production face a decision between self-hosting and utilizing Strapi Cloud, which offers a managed infrastructure solution. Self-hosted setups require significant initial infrastructure work, including server provisioning, database configuration, and environment management, all of which are handled by Strapi Cloud's guided setup process. Strapi Cloud simplifies maintenance by managing updates, security patches, and infrastructure scaling, with performance managed through plan-based limits on API requests, storage, and bandwidth. This approach provides predictable cost structures with transparent overage billing, eliminating the hidden costs of engineering time associated with self-hosting. The platform also supports easy collaboration and access management, enabling project sharing with teammates or external collaborators. Strapi Cloud ensures data and code portability, allowing teams to revert to self-hosting if necessary. This alternative to self-hosting offers a streamlined, efficient, and cost-effective path, encouraging teams to reconsider current hosting practices.
May 12, 2026
1,724 words in the original blog post.
The debate between REST and GraphQL often centers around the misconception that REST forces over-fetching while GraphQL allows clients to request only the data they need. However, modern REST APIs, including those in Strapi v5, offer similar field selection capabilities through specifications like JSON:API and OData. While REST generally excels in areas like caching, error semantics, and operational tooling, GraphQL offers advantages in scenarios involving federation or when multiple clients require different data slices from the same graph. In Strapi v5, REST APIs are enabled by default, providing straightforward handling of file uploads and compatibility with OpenAPI for TypeScript type safety. GraphQL, available as a plugin, is beneficial in specific use cases such as custom queries and component-level field selection but requires additional setup and infrastructure management. While both APIs have their strengths and weaknesses, the decision on which to use often depends on specific project requirements and existing infrastructures, such as whether a frontend is already oriented around GraphQL libraries like Apollo or Relay. For most projects, REST remains a reliable choice, particularly when leveraging modern features and tools that address previous limitations.
May 04, 2026
8,697 words in the original blog post.
In the final part of a series on building a note-taking application with GraphQL, Strapi v5, and Next.js 16, the focus is on implementing user-specific content access and authorization. The tutorial details how to ensure each user can only view and modify their own notes by using Strapi's users-permissions plugin for JWT-based authentication and a Document Service middleware for enforcing ownership rules on both REST and GraphQL APIs. The middleware automatically assigns an owner to each note upon creation and filters read operations to return only the signed-in user's notes, while also blocking unauthorized updates and deletions. This approach centralizes data protection across all entry points, eliminating the need for duplicated logic. The tutorial further explains how to integrate these functionalities into a Next.js frontend, including user registration, login, and navigation, with JWTs stored in HTTP-only cookies for security. The series concludes with suggestions for extending this foundation to include features like shared notes and enhanced role-based permissions.
May 04, 2026
13,071 words in the original blog post.