All Shopify + session secrets are server-only env vars. Only NEXT_PUBLIC_* reaches the browser.
Validate envs in lib/env.ts (zod). Boot fails on invalid envs.
Mutating Route Handlers MUST verify Origin matches APP_ORIGIN via verifySameOrigin.
Shopify webhooks: HMAC-verify with crypto.timingSafeEqual on the raw body.
Cookies: HttpOnly, Secure (prod), SameSite=Lax, signed/encrypted with SESSION_SECRET.
Strict CSP in production, relaxed only on /preview. Headers set in proxy.ts.
All Builder HTML through utils/sanitize-html.ts. No dangerouslySetInnerHTML outside that helper.
All Route Handler bodies validated with zod.

このリポジトリの他の Skills

同じリポジトリ

core-ui-migration

JasonYangCIS/builder-nextjs-shopify

How to move an app component into the headless @jasonyangcis/core-ui library — headless conversion, cross-repo file checklist, treeshake sentinel, changeset, consumer wiring.

2026-06-090

builder-page-wiring

JasonYangCIS/builder-nextjs-shopify

How to wire a new Builder.io-rendered route or model — fetch helper, route, registry, config.

2026-04-290

route-handlers

JasonYangCIS/builder-nextjs-shopify

Pattern for adding a server Route Handler under app/api/** — origin check, zod body, server-only deps, safe responses.

2026-04-290

builder-io

JasonYangCIS/builder-nextjs-shopify

Builder.io Gen-2 SDK patterns — fetch, render, register, model guard, preview.