> nextjs-security
Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles. (triggers: app/**/actions.ts, middleware.ts, action, boundary, sanitize, auth, jose)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/nextjs-security?format=md"Next.js Security
Priority: P0 (CRITICAL)
Workflow: Secure a Next.js App
- Add auth middleware — Create
middleware.tsto verify JWT/session on protected routes. - Validate Server Actions — Parse all inputs with Zod schemas; call
await auth()first. - Set security headers — Add CSP, HSTS, X-Frame-Options in middleware response.
- Use
server-only— Import in modules containing secrets to prevent client bundling. - Taint sensitive objects — Use
taintObjectReferenceto block server objects from reaching client.
Secure Server Action Example
Implementation Guidelines
- Next.js Middleware: Use
middleware.tsfor edge-side authentication, role-based access control (RBAC), and enforcing Security Headers (e.g.,Content-Security-Policy (CSP),X-XSS-Protection). - Server Actions: Always sanitize all inputs from
FormDataor JSON using Zod. Perform authentication checks (await auth()) inside every action to verify the caller. - Data Tainting: Use the
experimental_taintAPI (taintObjectReference) to ensure sensitive server objects (e.g., User withpasswordHash) never leak into a Client Component. - Route Handlers (
route.ts): Implement rate limiting to prevent brute-force or DoS attacks. Verify Origin/Referer headers to mitigate CSRF (Cross-Site Request Forgery). - Auth Tokens: strictly use
HttpOnly,Securecookies withSameSite: 'Lax'for session management. Never store tokens inlocalStorage. - Logic Isolation: use the
server-onlypackage to prevent backend-specific logic from being included in the client bundle. - Component Purity: Escape all user-provided content rendered in components. Never use
dangerouslySetInnerHTMLwithout a sanitizer likeDOMPurify.
Anti-Patterns
- No leaking DB fields to client: Use DTOs; never pass raw model objects.
- No
process.envin client bundles: Mark asNEXT_PUBLIC_only if safe to expose. - No unvalidated Server Action inputs: Always validate with Zod schema.
- No auth checks in shared Layouts: Auth in layouts is insecure; use Middleware.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)