Agent-Skills.md

Agent Skills: Next.js Security

Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles. (triggers: app/**/actions.ts, middleware.ts, action, boundary, sanitize, auth, jose)

UncategorizedID: hoangnguyen0403/agent-skills-standard/nextjs-security

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/nextjs/nextjs-security

Skill Files

Browse the full folder contents for nextjs-security.

Download Skill

Loading file tree…

skills/nextjs/nextjs-security/SKILL.md

Skill Metadata

Name
nextjs-security
Description
"Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles. (triggers: app/**/actions.ts, middleware.ts, action, boundary, sanitize, auth, jose)"

Next.js Security

Priority: P0 (CRITICAL)

Workflow: Secure a Next.js App

  1. Add auth middleware — Create middleware.ts to verify JWT/session on protected routes.
  2. Validate Server Actions — Parse all inputs with Zod schemas; call await auth() first.
  3. Set security headers — Add CSP, HSTS, X-Frame-Options in middleware response.
  4. Use server-only — Import in modules containing secrets to prevent client bundling.
  5. Taint sensitive objects — Use taintObjectReference to block server objects from reaching client.

Secure Server Action Example

See implementation examples

Implementation Guidelines

  • Next.js Middleware: Use middleware.ts for edge-side authentication, role-based access control (RBAC), and enforcing Security Headers (e.g., Content-Security-Policy (CSP), X-XSS-Protection).
  • Server Actions: Always sanitize all inputs from FormData or JSON using Zod. Perform authentication checks (await auth()) inside every action to verify the caller.
  • Data Tainting: Use the experimental_taint API (taintObjectReference) to ensure sensitive server objects (e.g., User with passwordHash) never leak into a Client Component.
  • Route Handlers (route.ts): Implement rate limiting to prevent brute-force or DoS attacks. Verify Origin/Referer headers to mitigate CSRF (Cross-Site Request Forgery).
  • Auth Tokens: strictly use HttpOnly, Secure cookies with SameSite: 'Lax' for session management. Never store tokens in localStorage.
  • Logic Isolation: use the server-only package to prevent backend-specific logic from being included in the client bundle.
  • Component Purity: Escape all user-provided content rendered in components. Never use dangerouslySetInnerHTML without a sanitizer like DOMPurify.

Anti-Patterns

  • No leaking DB fields to client: Use DTOs; never pass raw model objects.
  • No process.env in client bundles: Mark as NEXT_PUBLIC_ only if safe to expose.
  • No unvalidated Server Action inputs: Always validate with Zod schema.
  • No auth checks in shared Layouts: Auth in layouts is insecure; use Middleware.

References