| name | phase-7-seo-security |
| description | Skill for enhancing search optimization (SEO) and security.
Covers meta tags, semantic HTML, and security vulnerability checks.
Use proactively when user asks about search ranking, security hardening, or vulnerability fixes.
Triggers: SEO, security, meta tags, XSS, CSRF, ๋ณด์, ใปใญใฅใชใใฃ, ๅฎๅ
จ,
seguridad, etiquetas meta, optimizaciรณn de bรบsqueda,
sรฉcuritรฉ, balises mรฉta, optimisation pour les moteurs de recherche,
Sicherheit, Meta-Tags, Suchmaschinenoptimierung,
sicurezza, tag meta, ottimizzazione per i motori di ricerca
Do NOT use for: backend-only APIs, internal tools, or basic development setup.
|
| imports | ["${PLUGIN_ROOT}/templates/pipeline/phase-7-seo-security.template.md"] |
| agent | bkit:code-analyzer |
| allowed-tools | ["Read","Edit","Glob","Grep","WebSearch"] |
| user-invocable | false |
| next-skill | phase-8-review |
| pdca-phase | do |
| task-template | [Phase-7] {feature} |
Phase 7: SEO/Security
Search optimization and security enhancement
Purpose
Make the application discoverable through search and defend against security vulnerabilities.
What to Do in This Phase
- SEO Optimization: Meta tags, structured data, sitemap
- Performance Optimization: Core Web Vitals improvement
- Security Enhancement: Authentication, authorization, vulnerability defense
Deliverables
docs/02-design/
โโโ seo-spec.md # SEO specification
โโโ security-spec.md # Security specification
src/
โโโ middleware/ # Security middleware
โโโ components/
โโโ seo/ # SEO components
PDCA Application
- Plan: Define SEO/security requirements
- Design: Meta tags, security policy design
- Do: SEO/security implementation
- Check: Inspection and verification
- Act: Improve and proceed to Phase 8
Level-wise Application
| Level | Application Method |
|---|
| Starter | SEO only (minimal security) |
| Dynamic | SEO + basic security |
| Enterprise | SEO + advanced security |
SEO Checklist
Basic
Structured Data
Performance
Security Checklist
Authentication/Authorization
Data Protection
Communication Security
Security Architecture (Cross-Phase Connection)
Security Layer Structure
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Client (Browser) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Phase 6: UI Security โ
โ - XSS defense (input escaping) โ
โ - CSRF token inclusion โ
โ - No sensitive info storage on client โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Phase 4/6: API Communication Security โ
โ - HTTPS enforcement โ
โ - Authorization header (Bearer Token) โ
โ - Content-Type validation โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Phase 4: API Server Security โ
โ - Input validation โ
โ - Rate Limiting โ
โ - Minimal error messages (prevent sensitive info exposure) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Phase 2/9: Environment Variable Security โ
โ - Secrets management โ
โ - Environment separation โ
โ - Client-exposed variable distinction โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Security Responsibilities by Phase
| Phase | Security Responsibility | Verification Items |
|---|
| Phase 2 | Environment variable convention | NEXT_PUBLIC_* distinction, Secrets list |
| Phase 4 | API security design | Auth method, error codes, input validation |
| Phase 6 | Client security | XSS defense, token management, sensitive info |
| Phase 7 | Security implementation/inspection | Full security checklist |
| Phase 9 | Deployment security | Secrets injection, HTTPS, security headers |
Client Security (Phase 6 Connection)
XSS Defense Principles
โ ๏ธ XSS (Cross-Site Scripting) Defense
1. Never use innerHTML directly
2. Always sanitize user input when rendering as HTML
3. Leverage React's automatic escaping
4. Use DOMPurify library when needed
No Sensitive Information Storage
localStorage.setItem('password', password);
localStorage.setItem('creditCard', cardNumber);
localStorage.setItem('auth_token', token);
CSRF Defense
private async request<T>(endpoint: string, config: RequestConfig = {}) {
const headers = new Headers(config.headers);
const csrfToken = this.getCsrfToken();
if (csrfToken) {
headers.set('X-CSRF-Token', csrfToken);
}
}
API Security (Phase 4 Connection)
Input Validation (Server-side)
import { z } from 'zod';
const CreateUserSchema = z.object({
email: z.string().email(),
password: z.string().min(8).max(100),
name: z.string().min(1).max(50),
});
export async function POST(req: Request) {
const body = await req.json();
const result = CreateUserSchema.safeParse(body);
if (!result.success) {
return Response.json({
error: {
code: 'VALIDATION_ERROR',
message: 'Input is invalid.',
details: result.error.flatten().fieldErrors,
}
}, { status: 400 });
}
const { email, password, name } = result.data;
}
Error Message Security
{
message: 'User with email test@test.com not found',
stack: error.stack,
}
{
code: 'NOT_FOUND',
message: 'User not found.',
}
console.error(`User not found: ${email}`, error);
Rate Limiting
import { Ratelimit } from '@upstash/ratelimit';
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(10, '10 s'),
});
export async function middleware(request: NextRequest) {
const ip = request.ip ?? '127.0.0.1';
const { success } = await ratelimit.limit(ip);
if (!success) {
return new Response('Too Many Requests', { status: 429 });
}
}
Environment Variable Security (Phase 2/9 Connection)
Client Exposure Check
const serverEnvSchema = z.object({
DATABASE_URL: z.string(),
AUTH_SECRET: z.string(),
});
const clientEnvSchema = z.object({
NEXT_PUBLIC_APP_URL: z.string(),
});
export const serverEnv = serverEnvSchema.parse(process.env);
export const clientEnv = clientEnvSchema.parse({
NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
});
Security Header Configuration
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
];
module.exports = {
async headers() {
return [{ source: '/:path*', headers: securityHeaders }];
},
};
Security Verification Checklist (Phase 8 Connection)
Required (All Levels)
Recommended (Dynamic and above)
Advanced (Enterprise)
Next.js SEO Example
export const metadata: Metadata = {
title: {
default: 'Site Name',
template: '%s | Site Name',
},
description: 'Site description',
openGraph: {
type: 'website',
locale: 'en_US',
url: 'https://example.com',
siteName: 'Site Name',
},
};
Template
See templates/pipeline/phase-7-seo-security.template.md
Next Phase
Phase 8: Review โ After optimization, verify overall code quality