| name | security-review |
| description | Security review checklist for Next.js applications. Auto-triggered during security reviews, auth implementation, API route creation, or when handling user input. Covers OWASP Top 10, Next.js-specific security, and auth patterns.
|
| model | opus |
| allowed-tools | ["Read","Grep","Glob","Bash"] |
| context | fork |
| agent | security-reviewer |
Security Review Checklist
OWASP Top 10 for Next.js
1. Injection (SQL, NoSQL, Command)
2. Broken Authentication
3. Sensitive Data Exposure
4. XSS (Cross-Site Scripting)
5. CSRF (Cross-Site Request Forgery)
6. Security Misconfiguration
7. Broken Access Control
Next.js-Specific Checks
Server Actions
"use server";
export async function deleteUser(id: string) {
const parsed = z.string().uuid().safeParse(id);
if (!parsed.success) throw new Error("Invalid ID");
const session = await getSession();
if (!session?.user?.isAdmin) throw new Error("Unauthorized");
await db.user.delete({ where: { id: parsed.data } });
}
Environment Variables
# Server-only (safe)
DATABASE_URL=...
API_SECRET=...
# Client-exposed (NEVER put secrets here)
NEXT_PUBLIC_API_URL=...
NEXT_PUBLIC_SITE_NAME=...
Middleware Auth Pattern
export function middleware(request: NextRequest) {
const session = request.cookies.get("session");
if (!session && request.nextUrl.pathname.startsWith("/dashboard")) {
return NextResponse.redirect(new URL("/login", request.url));
}
}
Dependency Audit
pnpm audit
pnpm audit --fix
Security Headers (next.config.ts)
const securityHeaders = [
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
];
Output Format
When performing a security review, output findings as:
| Severity | Category | File:Line | Finding | Remediation |
|---|
| Critical | Injection | src/app/api/users/route.ts:15 | Unvalidated user input in SQL | Add Zod validation |
| High | Auth | src/middleware.ts:3 | Missing auth check for /admin | Add session verification |
| Medium | XSS | src/components/comment.tsx:8 | dangerouslySetInnerHTML | Use DOMPurify or text rendering |