Menu
Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles.
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
Clarify a rough product or engineering idea into a BRD-lite brief (Why) with measurable business value.
Turn an approved PRD or implementation goal into SRS/FRS technical requirements (How), architecture, contracts, and verification decisions.
Plan a feature from BRD-lite brief or clear intent into PRD (What), decisions, implementation plan, and task slices.
| name | nextjs-security |
| description | Secure Next.js App Router with middleware auth, Server Action validation, CSP headers, and taint APIs. Use when adding authentication middleware, validating Server Action inputs with Zod, or preventing secret leakage to client bundles. |
| metadata | {"triggers":{"files":["app/**/actions.ts","middleware.ts"],"keywords":["action","boundary","sanitize","auth","jose"]}} |
middleware.ts to verify JWT/session on protected routes.await auth() first.server-only — Import in modules containing secrets to prevent client bundling.taintObjectReference to block server objects from reaching client.middleware.ts for edge-side authentication, role-based access control (RBAC), and enforcing Security Headers (e.g., Content-Security-Policy (CSP), X-XSS-Protection).FormData or JSON using Zod. Perform authentication checks (await auth()) inside every action to verify caller.experimental_taint API (taintObjectReference) to ensure sensitive server objects (e.g., User with passwordHash) never leak into Client Component.route.ts): Implement rate limiting to prevent brute-force or DoS attacks. Verify Origin/Referer headers to mitigate CSRF (Cross-Site Request Forgery).HttpOnly, Secure cookies with SameSite: 'Lax' for session management. Never store tokens in localStorage.server-only package to prevent backend-specific logic from included in client bundle.dangerouslySetInnerHTML without sanitizer like DOMPurify.process.env in client bundles: Mark as NEXT_PUBLIC_ only if safe to expose.