nextjs-security

$npx mdskill add HoangNguyen0403/agent-skills-standard/nextjs-security

Secures Next.js apps with middleware, Zod validation, and security headers

  • Adds authentication middleware for protected routes
  • Uses Zod for Server Action input validation and taint APIs
  • Analyzes files like middleware.ts and app/**/actions.ts for injection points
  • Applies security headers and prevents secret leakage to client bundles

SKILL.md

.github/skills/nextjs-securityView on GitHub ↗
---
name: nextjs-security
description: Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles.
metadata:
  triggers:
    files:
    - 'app/**/actions.ts'
    - 'middleware.ts'
    keywords:
    - action
    - boundary
    - sanitize
    - auth
    - jose
---
# Next.js Security

## **Priority: P0 (CRITICAL)**

## Workflow: Secure Next.js App

1. **Add auth middleware** — Create `middleware.ts` to verify JWT/session on protected routes.
2. **Validate Server Actions** — Parse all inputs with Zod schemas; call `await auth()` first.
3. **Set security headers** — Add CSP, HSTS, X-Frame-Options in middleware response.
4. **Use `server-only`** — Import in modules containing secrets to prevent client bundling.
5. **Taint sensitive objects** — Use `taintObjectReference` to block server objects from reaching client.

## Secure Server Action Example

See [implementation examples](references/implementation.md)

## Implementation Guidelines

- **Next.js Middleware**: Use **`middleware.ts`** for edge-side authentication, role-based access control (RBAC), and enforcing **Security Headers** (e.g., **`Content-Security-Policy (CSP)`**, **`X-XSS-Protection`**).
- **Server Actions**: Always **sanitize all inputs** from `FormData` or JSON using **Zod**. Perform **authentication checks** (`await auth()`) inside every action to verify caller.
- **Data Tainting**: Use **`experimental_taint`** API (**`taintObjectReference`**) to ensure sensitive server objects (e.g., User with `passwordHash`) never leak into Client Component.
- **Route Handlers (`route.ts`)**: Implement **rate limiting** to prevent brute-force or DoS attacks. Verify **Origin/Referer headers** to mitigate **CSRF** (Cross-Site Request Forgery).
- **Auth Tokens**: strictly use **`HttpOnly`, `Secure` cookies** with **`SameSite: 'Lax'`** for session management. Never store tokens in `localStorage`.
- **Logic Isolation**: use **`server-only`** package to prevent backend-specific logic from included in client bundle.
- **Component Purity**: **Escape all user-provided content** rendered in components. Never use **`dangerouslySetInnerHTML`** without sanitizer like **`DOMPurify`**.

## Anti-Patterns

- **No leaking DB fields to client**: Use DTOs; never pass raw model objects.
- **No `process.env` in client bundles**: Mark as `NEXT_PUBLIC_` only if safe to expose.
- **No unvalidated Server Action inputs**: Always validate with Zod schema.
- **No auth checks in shared Layouts**: Auth in layouts insecure; use Middleware.

## References

- [Secure App Router Patterns](references/implementation.md)

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.