# Chapter 23: Security Best Practices

Security is not an afterthought—it's a fundamental requirement for any production application. Next.js applications face unique security challenges spanning Server Components, Client Components, API routes, and middleware. Understanding common vulnerabilities and implementing defense-in-depth strategies protects your users, data, and reputation.

By the end of this chapter, you'll recognize common security vulnerabilities specific to Next.js, manage environment variables securely, implement Content Security Policies, prevent XSS and CSRF attacks, ensure secure data transmission, scan dependencies for vulnerabilities, and establish security headers and configurations for production deployment.

## 23.1 Common Security Vulnerabilities

Understanding the threat landscape helps you prioritize defenses effectively.

### Server Component Injection Risks

Server Components execute on the server, but improper data handling can still create vulnerabilities:

```typescript
// VULNERABLE: Direct interpolation of user input into SQL-like queries
// app/search/page.tsx
export default async function SearchPage({ 
  searchParams 
}: { 
  searchParams: { q: string } 
}) {
  // DANGER: If this were raw SQL, this would be SQL injection
  // Even with ORMs, be careful with raw queries
  const results = await prisma.$queryRaw`
    SELECT * FROM posts WHERE title LIKE '%${searchParams.q}%'
  `; // NEVER do this with template literals
  
  return <Results data={results} />;
}

// SECURE: Use parameterized queries
export default async function SearchPage({ 
  searchParams 
}: { 
  searchParams: { q: string } 
}) {
  // Prisma automatically parameterizes this
  const results = await prisma.post.findMany({
    where: {
      title: {
        contains: searchParams.q, // Safely parameterized
        mode: 'insensitive',
      },
    },
  });
  
  return <Results data={results} />;
}
```

### Path Traversal Protection

Prevent directory traversal when handling file paths:

```typescript
// app/api/files/[...path]/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { join, resolve } from 'path';

export async function GET(
  request: NextRequest,
  { params }: { params: { path: string[] } }
) {
  // VULNERABLE: Direct path construction
  // const filePath = join(process.cwd(), 'uploads', ...params.path);
  
  // SECURE: Validate path is within allowed directory
  const basePath = resolve(process.cwd(), 'uploads');
  const requestedPath = resolve(basePath, ...params.path);
  
  // Ensure the resolved path is within basePath
  if (!requestedPath.startsWith(basePath)) {
    return NextResponse.json(
      { error: 'Invalid path' }, 
      { status: 403 }
    );
  }
  
  // Now safe to read file
  try {
    const file = await readFile(requestedPath);
    return new NextResponse(file);
  } catch {
    return NextResponse.json(
      { error: 'File not found' }, 
      { status: 404 }
    );
  }
}
```

### Prototype Pollution Prevention

Protect against prototype pollution in data handling:

```typescript
// lib/sanitize.ts
import { z } from 'zod';

// Prevent __proto__, constructor, prototype keys
export function sanitizeObject<T extends Record<string, any>>(
  obj: T
): T {
  const sanitized: any = {};
  
  for (const key of Object.keys(obj)) {
    // Skip dangerous keys
    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
      continue;
    }
    
    const value = obj[key];
    
    if (typeof value === 'object' && value !== null) {
      sanitized[key] = sanitizeObject(value);
    } else {
      sanitized[key] = value;
    }
  }
  
  return sanitized;
}

// Use Zod for strict validation
const userSchema = z.object({
  name: z.string().min(1),
  email: z.string().email(),
  role: z.enum(['user', 'admin']),
  // Explicitly reject unknown keys
}).strict();

export function validateUserData(data: unknown) {
  return userSchema.parse(data); // Throws on prototype pollution attempts
}
```

## 23.2 Environment Variables Management

Secure handling of secrets and configuration prevents credential leaks.

### Server vs Client Variables

Understand the distinction between server and client exposure:

```env
# .env.local

# Server-only (never exposed to browser)
DATABASE_URL="postgresql://user:password@localhost:5432/db"
STRIPE_SECRET_KEY="sk_live_..."
JWT_SECRET="super-secret-key"
INTERNAL_API_KEY="internal-only"

# Client-exposed (prefixed with NEXT_PUBLIC_)
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="pk_live_..."
NEXT_PUBLIC_APP_URL="https://example.com"
NEXT_PUBLIC_MAPS_API_KEY="google-maps-key"

# Build-time only (not available at runtime)
NEXT_PUBLIC_BUILD_DATE="2024-01-15"
```

### Runtime Validation

Validate environment variables at startup:

```typescript
// lib/env.ts
import { z } from 'zod';

const envSchema = z.object({
  NODE_ENV: z.enum(['development', 'production', 'test']),
  DATABASE_URL: z.string().min(1),
  NEXTAUTH_SECRET: z.string().min(32),
  NEXTAUTH_URL: z.string().url(),
  STRIPE_SECRET_KEY: z.string().startsWith('sk_'),
  STRIPE_WEBHOOK_SECRET: z.string().min(1),
  // Optional variables
  UPSTASH_REDIS_REST_URL: z.string().url().optional(),
});

// Validate and export typed env
export const env = envSchema.parse(process.env);

// Type declaration for IDE support
declare global {
  namespace NodeJS {
    interface ProcessEnv extends z.infer<typeof envSchema> {}
  }
}

// Usage in application
import { env } from '@/lib/env';

// Now TypeScript knows these exist and are validated
const dbUrl = env.DATABASE_URL;
```

### Secret Rotation Strategy

Implement secure secret rotation:

```typescript
// lib/secrets.ts
import { createHash, timingSafeEqual } from 'crypto';

export class SecretManager {
  private static readonly GRACE_PERIOD_MS = 24 * 60 * 60 * 1000; // 24 hours
  
  static validateApiKey(providedKey: string): boolean {
    const currentKey = process.env.API_KEY_CURRENT;
    const previousKey = process.env.API_KEY_PREVIOUS; // During rotation
    
    if (!currentKey) return false;
    
    // Constant-time comparison to prevent timing attacks
    try {
      const providedBuf = Buffer.from(providedKey);
      const currentBuf = Buffer.from(currentKey);
      
      if (providedBuf.length !== currentBuf.length) {
        // Try previous key if lengths differ
        if (previousKey) {
          const prevBuf = Buffer.from(previousKey);
          return timingSafeEqual(providedBuf, prevBuf);
        }
        return false;
      }
      
      return timingSafeEqual(providedBuf, currentBuf);
    } catch {
      return false;
    }
  }
  
  static hashSensitiveData(data: string): string {
    return createHash('sha256')
      .update(data + process.env.PEPPER) // Additional secret pepper
      .digest('hex');
  }
}
```

## 23.3 Data Security in Server Components

Protect sensitive data from accidental client exposure.

### Data Filtering

Prevent leaking sensitive fields to Client Components:

```typescript
// lib/data.ts
import { cache } from 'react';

// Define what fields are safe for client exposure
type SafeUser = {
  id: string;
  name: string;
  email: string;
  image: string | null;
  role: string;
};

// Never expose: passwordHash, internalNotes, ssn, etc.
export const getUserProfile = cache(async (userId: string): Promise<SafeUser> => {
  const user = await prisma.user.findUnique({
    where: { id: userId },
  });
  
  if (!user) throw new Error('User not found');
  
  // Explicitly pick only safe fields
  return {
    id: user.id,
    name: user.name,
    email: user.email,
    image: user.image,
    role: user.role,
    // Intentionally omit: password, resetToken, internalId, etc.
  };
});

// For admin views, separate function with explicit permission check
export const getUserAdminDetails = cache(async (
  adminId: string, 
  targetUserId: string
) => {
  // Verify admin has permission
  const admin = await prisma.user.findUnique({
    where: { id: adminId },
    select: { role: true },
  });
  
  if (admin?.role !== 'ADMIN') {
    throw new Error('Unauthorized');
  }
  
  // Return extended data for admins only
  return prisma.user.findUnique({
    where: { id: targetUserId },
    include: {
      loginHistory: true,
      auditLogs: true,
    },
  });
});
```

### Secure Serialization

Prevent serialization of sensitive objects:

```typescript
// app/api/user/route.ts
import { NextResponse } from 'next/server';

export async function GET() {
  const user = await getCurrentUser();
  
  // VULNERABLE: Accidentally serializing entire user object including secrets
  // return NextResponse.json(user);
  
  // SECURE: Explicit serialization with type safety
  const safeUser = {
    id: user.id,
    name: user.name,
    email: user.email,
  };
  
  return NextResponse.json(safeUser);
}

// utils/serialization.ts
export function toSafeJSON(obj: Record<string, any>): string {
  // Custom replacer to handle BigInt and remove undefined
  return JSON.stringify(obj, (key, value) => {
    // Remove undefined values
    if (value === undefined) return undefined;
    
    // Convert BigInt to string
    if (typeof value === 'bigint') return value.toString();
    
    // Remove functions (shouldn't be in data anyway)
    if (typeof value === 'function') return undefined;
    
    // Hide password-like fields even if nested
    if (typeof key === 'string' && 
        /password|secret|token|key|credential/i.test(key)) {
      return '[REDACTED]';
    }
    
    return value;
  });
}
```

## 23.4 Content Security Policy (CSP)

CSP prevents XSS and data injection attacks by controlling resource loading.

### Strict CSP Configuration

Implement a strict CSP with nonces for inline scripts:

```typescript
// middleware.ts
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
  
  // Strict CSP that blocks inline scripts without nonce
  const cspHeader = `
    default-src 'self';
    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https: 'unsafe-inline' 'unsafe-eval';
    style-src 'self' 'nonce-${nonce}' 'unsafe-inline';
    img-src 'self' blob: data: https://*.cloudinary.com;
    font-src 'self';
    object-src 'none';
    base-uri 'self';
    form-action 'self';
    frame-ancestors 'none';
    upgrade-insecure-requests;
    block-all-mixed-content;
  `.replace(/\s{2,}/g, ' ').trim();
  
  const response = NextResponse.next();
  
  response.headers.set('Content-Security-Policy', cspHeader);
  response.headers.set('X-Nonce', nonce);
  
  return response;
}

export const config = {
  matcher: ['/((?!api|_next/static|_next/image|favicon.ico).*)'],
};
```

### Next.js Script Component with CSP

Use the Script component with nonce support:

```typescript
// app/layout.tsx
import { headers } from 'next/headers';
import Script from 'next/script';

export default function RootLayout({ children }: { children: React.ReactNode }) {
  const nonce = headers().get('x-nonce') || undefined;
  
  return (
    <html lang="en">
      <head>
        {/* External script with nonce */}
        <Script
          src="https://analytics.example.com/script.js"
          strategy="afterInteractive"
          nonce={nonce}
        />
        
        {/* Inline script with nonce */}
        <Script id="config" nonce={nonce}>
          {`window.CONFIG = { apiUrl: '${process.env.NEXT_PUBLIC_API_URL}' };`}
        </Script>
      </head>
      <body>{children}</body>
    </html>
  );
}
```

### Report-Only Mode

Deploy CSP in report-only mode first to avoid breaking production:

```typescript
// middleware.ts variant for testing
export function middleware(request: NextRequest) {
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
  
  const cspHeader = `
    default-src 'self';
    script-src 'self' 'nonce-${nonce}';
    report-uri /api/csp-report;
    report-to csp-endpoint;
  `.trim();
  
  const response = NextResponse.next();
  
  // Use report-only during testing phase
  response.headers.set('Content-Security-Policy-Report-Only', cspHeader);
  
  return response;
}

// app/api/csp-report/route.ts
export async function POST(request: Request) {
  const report = await request.json();
  
  // Log CSP violations for analysis
  console.warn('CSP Violation:', {
    documentUri: report['csp-report']?.['document-uri'],
    blockedUri: report['csp-report']?.['blocked-uri'],
    violatedDirective: report['csp-report']?.['violated-directive'],
    timestamp: new Date().toISOString(),
  });
  
  return new Response(null, { status: 204 });
}
```

## 23.5 XSS Prevention

Cross-Site Scripting attacks inject malicious scripts into your pages.

### Sanitizing User Content

Always sanitize HTML content from users:

```typescript
// lib/sanitize.ts
import sanitizeHtml from 'sanitize-html';

export function sanitizeUserContent(dirty: string): string {
  return sanitizeHtml(dirty, {
    allowedTags: [
      'p', 'br', 'strong', 'em', 'u', 'h1', 'h2', 'h3', 
      'ul', 'ol', 'li', 'a', 'blockquote', 'code', 'pre'
    ],
    allowedAttributes: {
      'a': ['href', 'target', 'rel'],
      'code': ['class'],
    },
    allowedSchemes: ['http', 'https', 'mailto'],
    transformTags: {
      // Force all links to open in new tab with noopener
      'a': (tagName, attribs) => ({
        tagName: 'a',
        attribs: {
          ...attribs,
          target: '_blank',
          rel: 'noopener noreferrer nofollow',
        },
      }),
    },
    // Prevent script injection via event handlers
    nonTextTags: ['style', 'script', 'textarea', 'noscript'],
  });
}

// Usage in component
'use client';

export function UserContent({ html }: { html: string }) {
  const sanitized = sanitizeUserContent(html);
  
  return (
    <div 
      className="prose"
      dangerouslySetInnerHTML={{ __html: sanitized }} 
    />
  );
}
```

### Context-Aware Escaping

Escape output based on context:

```typescript
// lib/escape.ts
export function escapeHtml(unsafe: string): string {
  return unsafe
    .replace(/&/g, "&amp;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&#039;");
}

export function escapeJs(unsafe: string): string {
  return JSON.stringify(unsafe).slice(1, -1);
}

export function escapeUrl(unsafe: string): string {
  try {
    const url = new URL(unsafe);
    // Only allow http and https
    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
      return '#invalid-protocol';
    }
    return url.toString();
  } catch {
    return '#invalid-url';
  }
}

// Component usage
export function SearchResults({ query, results }: { query: string; results: any[] }) {
  // Escape for HTML context
  const safeQuery = escapeHtml(query);
  
  return (
    <div>
      <h1>Results for: {safeQuery}</h1>
      {/* Or use React's automatic escaping (preferable) */}
      <h1>Results for: {query}</h1> {/* React escapes this automatically */}
    </div>
  );
}
```

## 23.6 CSRF Protection

Cross-Site Request Forgery protection ensures state-changing requests originate from your application.

### Double Submit Cookie Pattern

Implement CSRF tokens for form submissions:

```typescript
// lib/csrf.ts
import { cookies } from 'next/headers';
import { createHash, randomBytes } from 'crypto';

export function generateCsrfToken(): string {
  return randomBytes(32).toString('hex');
}

export function setCsrfCookie() {
  const token = generateCsrfToken();
  
  cookies().set('csrf-token', token, {
    httpOnly: false, // Must be readable by JavaScript
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict',
    path: '/',
    maxAge: 60 * 60 * 24, // 24 hours
  });
  
  return token;
}

export function validateCsrfToken(formToken: string): boolean {
  const cookieToken = cookies().get('csrf-token')?.value;
  
  if (!cookieToken || !formToken) return false;
  
  // Timing-safe comparison
  try {
    const cookieBuf = Buffer.from(cookieToken);
    const formBuf = Buffer.from(formToken);
    
    if (cookieBuf.length !== formBuf.length) return false;
    
    return crypto.timingSafeEqual(cookieBuf, formBuf);
  } catch {
    return false;
  }
}
```

### Server Action CSRF Protection

Next.js Server Actions have built-in CSRF protection, but verify origins:

```typescript
// middleware.ts
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  // Verify origin for Server Actions
  if (request.method === 'POST' && 
      request.headers.get('next-action')) {
    const origin = request.headers.get('origin');
    const allowedOrigins = [
      'https://example.com',
      'https://app.example.com',
    ];
    
    if (!origin || !allowedOrigins.includes(origin)) {
      return NextResponse.json(
        { error: 'Invalid origin' }, 
        { status: 403 }
      );
    }
  }
  
  return NextResponse.next();
}
```

### Form Implementation

Include CSRF tokens in forms:

```typescript
// components/secure-form.tsx
import { setCsrfCookie } from '@/lib/csrf';

export function SecureForm() {
  // Generate token for this form render
  const csrfToken = setCsrfCookie();
  
  return (
    <form action="/api/submit" method="POST">
      <input type="hidden" name="csrf_token" value={csrfToken} />
      
      <input name="email" type="email" required />
      <button type="submit">Submit</button>
    </form>
  );
}

// app/api/submit/route.ts
import { validateCsrfToken } from '@/lib/csrf';

export async function POST(request: Request) {
  const formData = await request.formData();
  const csrfToken = formData.get('csrf_token') as string;
  
  if (!validateCsrfToken(csrfToken)) {
    return Response.json(
      { error: 'Invalid CSRF token' }, 
      { status: 403 }
    );
  }
  
  // Process form...
}
```

## 23.7 Secure Data Transmission

Ensure data in transit is protected from eavesdropping and tampering.

### HTTPS Enforcement

Force HTTPS in production:

```typescript
// middleware.ts
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  // Check for HTTPS in production
  if (process.env.NODE_ENV === 'production') {
    const proto = request.headers.get('x-forwarded-proto');
    
    if (proto === 'http') {
      const httpsUrl = new URL(request.url);
      httpsUrl.protocol = 'https:';
      
      return NextResponse.redirect(httpsUrl, 301);
    }
  }
  
  // Add HSTS header
  const response = NextResponse.next();
  
  if (process.env.NODE_ENV === 'production') {
    response.headers.set(
      'Strict-Transport-Security',
      'max-age=31536000; includeSubDomains; preload'
    );
  }
  
  return response;
}
```

### Secure Cookies

Configure cookies with secure flags:

```typescript
// lib/auth.ts
import { cookies } from 'next/headers';

export function setSessionCookie(token: string) {
  cookies().set('session', token, {
    httpOnly: true,        // Not accessible via JavaScript
    secure: true,          // Only sent over HTTPS
    sameSite: 'strict',    // CSRF protection
    maxAge: 60 * 60 * 24 * 7, // 7 days
    path: '/',
    // Optional: restrict to specific domain
    // domain: 'example.com',
  });
}

// For remember-me functionality (longer lived, less secure)
export function setRememberMeCookie(token: string) {
  cookies().set('remember_me', token, {
    httpOnly: true,
    secure: true,
    sameSite: 'lax',       // Allow cross-site GET requests
    maxAge: 60 * 60 * 24 * 30, // 30 days
    path: '/',
  });
}
```

## 23.8 Dependency Security

Third-party code can introduce vulnerabilities.

### Automated Scanning

Integrate security scanning in your workflow:

```json
// package.json scripts
{
  "scripts": {
    "security:audit": "npm audit",
    "security:fix": "npm audit fix",
    "security:check": "better-npm-audit audit",
    "prebuild": "npm run security:audit"
  }
}
```

```yaml
# .github/workflows/security.yml
name: Security Audit

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 0 * * 0'  # Weekly

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run npm audit
        run: npm audit --audit-level=high
        
      - name: Check for outdated dependencies
        run: npm outdated
        
      - name: Run Snyk security scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
```

### Dependency Pinning

Prevent supply chain attacks with lockfiles and integrity checks:

```bash
# Use exact versions in package.json where possible
# Use npm ci in CI/CD to ensure exact lockfile adherence

# Verify lockfile integrity
npm ci --audit
npm shrinkwrap  # Lock down dependencies for libraries
```

### Subresource Integrity

Verify external scripts haven't been tampered with:

```typescript
// app/layout.tsx
import Script from 'next/script';

export default function Layout({ children }: { children: React.ReactNode }) {
  return (
    <html>
      <head>
        {/* External script with integrity hash */}
        <Script
          src="https://cdn.example.com/analytics.js"
          integrity="sha384-abc123...xyz789"
          crossOrigin="anonymous"
          strategy="afterInteractive"
        />
      </head>
      <body>{children}</body>
    </html>
  );
}
```

## Key Takeaways from Chapter 23

1. **Injection Prevention**: Always use parameterized queries with ORMs (Prisma) to prevent SQL injection. Validate and sanitize file paths to prevent directory traversal using `path.resolve()` and prefix checking. Use Zod strict schemas to prevent prototype pollution by rejecting unknown keys.

2. **Environment Security**: Never prefix sensitive variables with `NEXT_PUBLIC_`. Validate environment variables at startup using Zod schemas to ensure required secrets exist. Implement constant-time comparison (`crypto.timingSafeEqual`) for API keys to prevent timing attacks.

3. **Server Component Data**: Explicitly filter database query results to return only necessary fields—never return raw database objects to Client Components. Create separate data access functions for different permission levels (user vs admin) to enforce least privilege.

4. **Content Security Policy**: Implement strict CSP headers with nonces for inline scripts using middleware. Start with `Content-Security-Policy-Report-Only` to identify violations without breaking functionality. Use Next.js Script component with nonce support for external resources.

5. **XSS Prevention**: Sanitize HTML content using libraries like `sanitize-html` with strict allowlists. Prefer React's automatic escaping over `dangerouslySetInnerHTML`. When raw HTML is necessary, context-aware escaping (HTML, JS, URL contexts) prevents injection vectors.

6. **CSRF Protection**: Implement double-submit cookie pattern with httpOnly `false` (for JS reading) but sameSite `strict`. Validate CSRF tokens on all state-changing POST requests using timing-safe comparison. Next.js Server Actions have built-in origin validation, but verify `origin` headers in middleware for additional protection.

7. **Secure Transmission**: Enforce HTTPS in production using `x-forwarded-proto` header checks and HSTS headers. Configure cookies with `httpOnly`, `secure`, and `sameSite` flags. Implement subresource integrity (SRI) hashes for external scripts to prevent supply chain attacks.

## Coming Up Next

**Chapter 24: Deployment Strategies**

Now that your application is secure, it's time to ship it to production. In Chapter 24, we'll explore Vercel deployment optimization, self-hosting options with Docker, static exports for edge deployment, CI/CD pipeline configuration, environment-specific settings, and monitoring/analytics setup. You'll learn how to deploy your Next.js application confidently across various platforms while maintaining security and performance.

<div style='width:100%; display:flex; justify-content:space-between; align-items:center; margin: 1em 0;'>
  <a href='22. seo_and_metadata.ipynb' style='font-weight:bold; font-size:1.05em;'>&larr; Previous</a>
  <a href='../TOC.md' style='font-weight:bold; font-size:1.05em; text-align:center;'>Table of Contents</a>
  <a href='24. deployment_strategies.ipynb' style='font-weight:bold; font-size:1.05em;'>Next &rarr;</a>
</div>
