hoangnguyen0403/nextjs-security
skills/nextjs/nextjs-security/SKILL.md
Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard nextjs-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 3:40 AM167.4s3 files scanned
SKILL.md
- name:
- nextjs-security
- description:
- Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles.
Next.js Security
Priority: P0 (CRITICAL)
Workflow: Secure Next.js App
- Add auth middleware — Create
middleware.tsto verify JWT/session on protected routes. - Validate Server Actions — Parse all inputs with Zod schemas; call
await auth()first. - Set security headers — Add CSP, HSTS, X-Frame-Options in middleware response.
- Use
server-only— Import in modules containing secrets to prevent client bundling. - Taint sensitive objects — Use
taintObjectReferenceto block server objects from reaching client.
Secure Server Action Example
See implementation examples
Implementation Guidelines
- Next.js Middleware: Use
middleware.tsfor edge-side authentication, role-based access control (RBAC), and enforcing Security Headers (e.g.,Content-Security-Policy (CSP),X-XSS-Protection). - Server Actions: Always sanitize all inputs from
FormDataor JSON using Zod. Perform authentication checks (await auth()) inside every action to verify caller. - Data Tainting: Use
experimental_taintAPI (taintObjectReference) to ensure sensitive server objects (e.g., User withpasswordHash) never leak into Client Component. - Route Handlers (
route.ts): Implement rate limiting to prevent brute-force or DoS attacks. Verify Origin/Referer headers to mitigate CSRF (Cross-Site Request Forgery). - Auth Tokens: strictly use
HttpOnly,Securecookies withSameSite: 'Lax'for session management. Never store tokens inlocalStorage. - Logic Isolation: use
server-onlypackage to prevent backend-specific logic from included in client bundle. - Component Purity: Escape all user-provided content rendered in components. Never use
dangerouslySetInnerHTMLwithout sanitizer likeDOMPurify.
Anti-Patterns
- No leaking DB fields to client: Use DTOs; never pass raw model objects.
- No
process.envin client bundles: Mark asNEXT_PUBLIC_only if safe to expose. - No unvalidated Server Action inputs: Always validate with Zod schema.
- No auth checks in shared Layouts: Auth in layouts insecure; use Middleware.
References
- Secure App Router Patterns
Related Skills
hoangnguyen0403/specialist-pr-reviewer
development
VerifiedTrustedCommunity
Summarizes GitHub PR, GitLab MR, or Azure DevOps PR metadata, review threads, changed files, and template completeness. Use during review-ticket or code-review workflows when PR/MR context exists.
498SKILL.mdUpdated May 23, 2026
hoangnguyen0403/typescript-tooling
tools
VerifiedTrustedCommunity
Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-security
development
VerifiedTrustedCommunity
Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-language
development
VerifiedTrustedCommunity
Apply modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings.
498SKILL.mdUpdated May 21, 2026