A set of best practices for keeping your Next.js apps secure.
Always validate user inputs with schemas
Sanitize rendered content
Be careful with dynamic imports
Separate API route handlers from page components
Secure API routes with proper authentication
Implement proper CSRF protection
Use proper error handling in API routes
return res.status(500).json({ error: err.stack })
Implement rate limiting
Use environment variables correctly
Set appropriate Security Headers
Avoid client-side secrets in redirects
router.push(/success?token=${token})
Secure cookies configuration
Beware of metadata injection
Secure file uploads