# Next.js Security Audit - Comprehensive Vulnerability Scanner and Fixer
## Development Philosophy
- **Security First**: Every line of code should be written with security in mind
- **Minimal Attack Surface**: Reduce exposure by implementing least privilege principles
- **Defense in Depth**: Layer security controls to prevent single points of failure
- **Practical Over Perfect**: Focus on high-impact, implementable fixes
- **Continuous Monitoring**: Security is not a one-time activity but an ongoing process
## 🔍 Phase 1: Automated Security Scan
Systematically analyze the codebase for vulnerabilities. For each finding, provide:
\`\`\`
📍 Location: [filename:line]
🚨 Severity: [CRITICAL|HIGH|MEDIUM|LOW]
🔓 Issue: [Clear description]
💥 Impact: [What could happen]
\`\`\`
### Priority Scan Areas
#### Authentication & Authorization
- JWT implementation flaws
- Session management issues
- Missing auth middleware on protected routes
- Insecure password reset flows
- OAuth misconfigurations
- Missing role-based access control (RBAC)
- Privilege escalation vulnerabilities
#### API Security
- Unprotected API routes (\`/api/*\` without auth checks)
- Missing CSRF protection
- Lack of rate limiting
- Input validation gaps
- SQL/NoSQL injection risks
- Mass assignment vulnerabilities
- GraphQL specific vulnerabilities (if applicable)
- Missing API versioning strategy
#### Next.js Specific Vulnerabilities
- Exposed server components with sensitive logic
- Client-side environment variables containing secrets
- Improper use of \`dangerouslySetInnerHTML\`
- Missing security headers in \`next.config.js\`
- Insecure redirects and open redirects
- Server actions without proper validation
- Middleware bypass vulnerabilities
- Static generation exposing sensitive data
#### Data Exposure
- Sensitive data in client components
- API responses leaking internal data
- Error messages exposing system info
- Unfiltered database queries
- Missing data sanitization
- Logging sensitive information
- Exposed user PII in URLs or localStorage
#### Configuration Issues
- Hardcoded secrets or API keys
- Insecure CORS settings
- Missing Content Security Policy
- Exposed \`.env\` variables on client
- Debug mode in production
- Verbose error reporting
- Missing HTTPS enforcement
## 📊 Phase 2: Risk Assessment & Remediation Plan
### Vulnerability Analysis Template
\`\`\`markdown
### [Issue Name]
**Risk Level**: [CRITICAL/HIGH/MEDIUM/LOW]
**CVSS Score**: [0.0-10.0]
**CWE ID**: [Common Weakness Enumeration ID]
**Attack Vector**:
1. [Step-by-step exploitation scenario]
2. [Tools/techniques required]
3. [Skill level needed]
**Business Impact**:
- Data breach potential: [Yes/No - what data]
- Service disruption: [Yes/No - how]
- Compliance violation: [GDPR/PCI/HIPAA/SOC2 if applicable]
- Reputation damage: [High/Medium/Low]
- Financial impact: [Estimated range]
**Recommended Fix**:
[Minimal, practical solution with code example]
**Alternative Solutions**:
[If multiple approaches exist]
**Implementation Effort**: [Hours/Days]
**Breaking Changes**: [Yes/No - what might break]
**Dependencies**: [New packages or services required]
\`\`\`
## 🔧 Phase 3: Secure Code Implementation
### Fix Template
\`\`\`diff
// File: [path/to/file]
// Issue: [Brief description]
// CWE: [CWE-XXX]
- [old insecure code]
+ [new secure code]
// Test coverage required:
// - [Unit test scenario]
// - [Integration test scenario]
\`\`\`
### Verification Checklist
- [ ] Fix addresses the root cause
- [ ] No new vulnerabilities introduced
- [ ] Backward compatibility maintained
- [ ] Performance impact assessed (<5% degradation)
- [ ] Error handling preserved
- [ ] Logging added for security events
- [ ] Documentation updated
- [ ] Tests written and passing
## 🎯 Next.js Security Checklist
Rate each area:
- ✅ Secure
- ⚠️ Needs improvement
- ❌ Critical issue
### Core Security
- [ ] All API routes have authentication
- [ ] Rate limiting implemented (e.g., with \`next-rate-limit\`)
- [ ] CSRF tokens on state-changing operations
- [ ] Input validation with \`zod\` or similar
- [ ] SQL queries use parameterization
- [ ] XSS prevention in place
- [ ] File upload restrictions implemented
- [ ] Security event logging configured
### Next.js Configuration
- [ ] Security headers in \`next.config.js\`
- [ ] Environment variables properly split (server vs client)
- [ ] Content Security Policy configured
- [ ] HTTPS enforced in production
- [ ] Source maps disabled in production
- [ ] Strict TypeScript configuration
- [ ] Middleware security rules implemented
- [ ] API routes follow RESTful security practices
### Authentication & Session Management
- [ ] Secure session management (httpOnly, secure, sameSite cookies)
- [ ] Password hashing with bcrypt/argon2 (cost factor ≥ 12)
- [ ] Account lockout mechanisms (after 5 failed attempts)
- [ ] Secure password reset flow (time-limited tokens)
- [ ] 2FA/MFA support implemented
- [ ] Session timeout configured
- [ ] Secure "Remember Me" functionality
- [ ] Logout properly clears all session data
### Data Protection
- [ ] Sensitive data encrypted at rest
- [ ] PII data minimization practiced
- [ ] Data retention policies implemented
- [ ] Secure data deletion procedures
- [ ] Audit trails for sensitive operations
- [ ] GDPR compliance measures
## 📋 Executive Summary Format
\`\`\`markdown
# Security Audit Report - [Date]
## Critical Findings
[Number] critical vulnerabilities requiring immediate attention
## Risk Matrix
| Category | Critical | High | Medium | Low |
|----------|----------|------|---------|-----|
| Auth | X | X | X | X |
| API | X | X | X | X |
| Data | X | X | X | X |
| Config | X | X | X | X |
## Summary by Category
- Authentication: [X issues] - [Brief description]
- API Security: [X issues] - [Brief description]
- Data Protection: [X issues] - [Brief description]
- Configuration: [X issues] - [Brief description]
## Remediation Timeline
- Immediate (24h): [List critical fixes]
- Short-term (1 week): [List high priority]
- Medium-term (1 month): [List medium priority]
- Long-term (3 months): [List low priority]
## Required Resources
- Developer hours: [Estimate by priority]
- Third-party tools: [List with costs]
- Testing requirements: [Scope and timeline]
- Training needs: [Security awareness topics]
## Compliance Status
- [ ] OWASP Top 10 addressed
- [ ] GDPR requirements met
- [ ] Industry standards compliance
\`\`\`
## 🚀 Quick Wins
Identify 5-10 fixes that can be implemented immediately with high security impact:
1. **Enable rate limiting** on all API routes
2. **Add security headers** to next.config.js
3. **Implement input validation** using Zod schemas
4. **Enable CSRF protection** for mutations
5. **Remove console.logs** containing sensitive data
## 🛡️ Security Code Patterns
### Secure API Route Template
\`\`\`typescript
// app/api/secure-endpoint/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';
import { verifyAuth } from '@/lib/auth';
import { rateLimit } from '@/lib/rate-limit';
import { csrf } from '@/lib/csrf';
const schema = z.object({
// Define your input schema
});
export async function POST(req: NextRequest) {
// Rate limiting
const rateLimitResult = await rateLimit(req);
if (!rateLimitResult.success) {
return NextResponse.json({ error: 'Too many requests' }, { status: 429 });
}
// Authentication
const auth = await verifyAuth(req);
if (!auth.authenticated) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
// CSRF protection
const csrfValid = await csrf.verify(req);
if (!csrfValid) {
return NextResponse.json({ error: 'Invalid CSRF token' }, { status: 403 });
}
// Input validation
const body = await req.json();
const validationResult = schema.safeParse(body);
if (!validationResult.success) {
return NextResponse.json({
error: 'Validation failed',
details: validationResult.error.flatten()
}, { status: 400 });
}
try {
// Business logic here
return NextResponse.json({ success: true });
} catch (error) {
// Log error securely (no sensitive data)
console.error('API error:', {
endpoint: '/api/secure-endpoint',
userId: auth.userId,
timestamp: new Date().toISOString()
});
return NextResponse.json({
error: 'Internal server error'
}, { status: 500 });
}
}
\`\`\`
### Security Headers Configuration
\`\`\`javascript
// next.config.js
const securityHeaders = [
{
key: 'X-DNS-Prefetch-Control',
value: 'on'
},
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload'
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'X-XSS-Protection',
value: '1; mode=block'
},
{
key: 'Referrer-Policy',
value: 'origin-when-cross-origin'
},
{
key: 'Content-Security-Policy',
value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
}
];
module.exports = {
async headers() {
return [
{
source: '/:path*',
headers: securityHeaders,
},
];
},
};
\`\`\`
## Remember
- Security is everyone's responsibility
- The best security is invisible to users
- Document security decisions for future reference
- Regular security audits are essential
- Stay updated with the latest security advisoriesBack to Rules
Next.js Security Audit - Comprehensive Vulnerability Scanner
cursor.directory
Related Rules
Optimized Next.js TypeScript Best Practices with Modern UI/UX
cursor.directory
Next.jsTypeScriptReact
Expo React Native TypeScript Cursor Rules
cursor.directory
ExpoReact NativeTypeScript
The Ultimate Frontend Development Instruction
cursor.directory
TypeScriptReactNext.js
Clean NestJs APIs with TypeScript Cursor Rules
cursor.directory
NestJsNodeAPI
Next.js React Redux TypeScript Cursor Rules
cursor.directory
Next.jsReactRedux
Next.js React TypeScript Cursor Rules
cursor.directory
Next.jsReactTypeScript
