In this paper a novel approach to co-design controller and attack detector for nonlinear cyber-physical systems affected by false data injection (FDI) attack is proposed. We augment the model predictive controller with an additional constraint requiring the future---in some steps ahead---trajectory of the system to remain in some time-invariant neighborhood of a properly designed reference trajectory. At any sampling time, we compare the real-time trajectory of the system with the designed reference trajectory, and construct a residual. The residual is then used in a nonparametric cumulative sum (CUSUM) anomaly detector to uncover FDI attacks on input and measurement channels. The effectiveness of the proposed approach is tested with a nonlinear model regarding level control of coupled tanks.