images.remotePatterns value to have specific domains as covered here. next dev or even next build && next start this works fine and it blocks images in other hostnames. opennextjs-cloudflare && wrangler dev (using oppennextjs 0.5.9) it does not block these images correctly, leaving us open to SSRF attacks.next/image Component.