Security Review Skill This skill ensures all code follows security best practices and identifies potential vulnerabilities. When to Activate Implementing authentication or authorization Handling user input or file uploads Creating new API endpoints Working with secrets or credentials Implementing payment features Storing or transmitting sensitive data Integrating third-party APIs Security Checklist 1. Secrets Management ❌ NEVER Do This const apiKey = "sk-proj-xxxxx" // Hardcoded secret const dbPassword = "password123" // In source code ✅ ALWAYS Do This const apiKey = process . env . OPENAI_API_KEY const dbUrl = process . env . DATABASE_URL // Verify secrets exist if ( ! apiKey ) { throw new Error ( 'OPENAI_API_KEY not configured' ) } Verification Steps No hardcoded API keys, tokens, or passwords All secrets in environment variables .env.local in .gitignore No secrets in git history Production secrets in hosting platform (Vercel, Railway) 2. Input Validation Always Validate User Input import { z } from 'zod' // Define validation schema const CreateUserSchema = z . object ( { email : z . string ( ) . email ( ) , name : z . string ( ) . min ( 1 ) . max ( 100 ) , age : z . number ( ) . int ( ) . min ( 0 ) . max ( 150 ) } ) // Validate before processing export async function createUser ( input : unknown ) { try { const validated = CreateUserSchema . parse ( input ) return await db . users . create ( validated ) } catch ( error ) { if ( error instanceof z . ZodError ) { return { success : false , errors : error . errors } } throw error } } File Upload Validation function validateFileUpload ( file : File ) { // Size check (5MB max) const maxSize = 5 * 1024 * 1024 if ( file . size

maxSize ) { throw new Error ( 'File too large (max 5MB)' ) } // Type check const allowedTypes = [ 'image/jpeg' , 'image/png' , 'image/gif' ] if ( ! allowedTypes . includes ( file . type ) ) { throw new Error ( 'Invalid file type' ) } // Extension check const allowedExtensions = [ '.jpg' , '.jpeg' , '.png' , '.gif' ] const extension = file . name . toLowerCase ( ) . match ( / . [ ^ . ] + $ / ) ?. [ 0 ] if ( ! extension || ! allowedExtensions . includes ( extension ) ) { throw new Error ( 'Invalid file extension' ) } return true } Verification Steps All user inputs validated with schemas File uploads restricted (size, type, extension) No direct use of user input in queries Whitelist validation (not blacklist) Error messages don't leak sensitive info 3. SQL Injection Prevention ❌ NEVER Concatenate SQL // DANGEROUS - SQL Injection vulnerability const query = SELECT * FROM users WHERE email = ' ${ userEmail } ' await db . query ( query ) ✅ ALWAYS Use Parameterized Queries // Safe - parameterized query const { data } = await supabase . from ( 'users' ) . select ( '*' ) . eq ( 'email' , userEmail ) // Or with raw SQL await db . query ( 'SELECT * FROM users WHERE email = $1' , [ userEmail ] ) Verification Steps All database queries use parameterized queries No string concatenation in SQL ORM/query builder used correctly Supabase queries properly sanitized 4. Authentication & Authorization JWT Token Handling // ❌ WRONG: localStorage (vulnerable to XSS) localStorage . setItem ( 'token' , token ) // ✅ CORRECT: httpOnly cookies res . setHeader ( 'Set-Cookie' , token= ${ token } ; HttpOnly; Secure; SameSite=Strict; Max-Age=3600 ) Authorization Checks export async function deleteUser ( userId : string , requesterId : string ) { // ALWAYS verify authorization first const requester = await db . users . findUnique ( { where : { id : requesterId } } ) if ( requester . role !== 'admin' ) { return NextResponse . json ( { error : 'Unauthorized' } , { status : 403 } ) } // Proceed with deletion await db . users . delete ( { where : { id : userId } } ) } Row Level Security (Supabase) -- Enable RLS on all tables ALTER TABLE users ENABLE ROW LEVEL SECURITY ; -- Users can only view their own data CREATE POLICY "Users view own data" ON users FOR SELECT USING ( auth . uid ( ) = id ) ; -- Users can only update their own data CREATE POLICY "Users update own data" ON users FOR UPDATE USING ( auth . uid ( ) = id ) ; Verification Steps Tokens stored in httpOnly cookies (not localStorage) Authorization checks before sensitive operations Row Level Security enabled in Supabase Role-based access control implemented Session management secure 5. XSS Prevention Sanitize HTML import DOMPurify from 'isomorphic-dompurify' // ALWAYS sanitize user-provided HTML function renderUserContent ( html : string ) { const clean = DOMPurify . sanitize ( html , { ALLOWED_TAGS : [ 'b' , 'i' , 'em' , 'strong' , 'p' ] , ALLOWED_ATTR : [ ] } ) return < div dangerouslySetInnerHTML = { { __html : clean } } /

} Content Security Policy // next.config.js const securityHeaders = [ { key : 'Content-Security-Policy' , value : default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.example.com; . replace ( / \s {2,} / g , ' ' ) . trim ( ) } ] Verification Steps User-provided HTML sanitized CSP headers configured No unvalidated dynamic content rendering React's built-in XSS protection used 6. CSRF Protection CSRF Tokens import { csrf } from '@/lib/csrf' export async function POST ( request : Request ) { const token = request . headers . get ( 'X-CSRF-Token' ) if ( ! csrf . verify ( token ) ) { return NextResponse . json ( { error : 'Invalid CSRF token' } , { status : 403 } ) } // Process request } SameSite Cookies res . setHeader ( 'Set-Cookie' , session= ${ sessionId } ; HttpOnly; Secure; SameSite=Strict ) Verification Steps CSRF tokens on state-changing operations SameSite=Strict on all cookies Double-submit cookie pattern implemented 7. Rate Limiting API Rate Limiting import rateLimit from 'express-rate-limit' const limiter = rateLimit ( { windowMs : 15 * 60 * 1000 , // 15 minutes max : 100 , // 100 requests per window message : 'Too many requests' } ) // Apply to routes app . use ( '/api/' , limiter ) Expensive Operations // Aggressive rate limiting for searches const searchLimiter = rateLimit ( { windowMs : 60 * 1000 , // 1 minute max : 10 , // 10 requests per minute message : 'Too many search requests' } ) app . use ( '/api/search' , searchLimiter ) Verification Steps Rate limiting on all API endpoints Stricter limits on expensive operations IP-based rate limiting User-based rate limiting (authenticated) 8. Sensitive Data Exposure Logging // ❌ WRONG: Logging sensitive data console . log ( 'User login:' , { email , password } ) console . log ( 'Payment:' , { cardNumber , cvv } ) // ✅ CORRECT: Redact sensitive data console . log ( 'User login:' , { email , userId } ) console . log ( 'Payment:' , { last4 : card . last4 , userId } ) Error Messages // ❌ WRONG: Exposing internal details catch ( error ) { return NextResponse . json ( { error : error . message , stack : error . stack } , { status : 500 } ) } // ✅ CORRECT: Generic error messages catch ( error ) { console . error ( 'Internal error:' , error ) return NextResponse . json ( { error : 'An error occurred. Please try again.' } , { status : 500 } ) } Verification Steps No passwords, tokens, or secrets in logs Error messages generic for users Detailed errors only in server logs No stack traces exposed to users 9. Blockchain Security (Solana) Wallet Verification import { verify } from '@solana/web3.js' async function verifyWalletOwnership ( publicKey : string , signature : string , message : string ) { try { const isValid = verify ( Buffer . from ( message ) , Buffer . from ( signature , 'base64' ) , Buffer . from ( publicKey , 'base64' ) ) return isValid } catch ( error ) { return false } } Transaction Verification async function verifyTransaction ( transaction : Transaction ) { // Verify recipient if ( transaction . to !== expectedRecipient ) { throw new Error ( 'Invalid recipient' ) } // Verify amount if ( transaction . amount

maxAmount ) { throw new Error ( 'Amount exceeds limit' ) } // Verify user has sufficient balance const balance = await getBalance ( transaction . from ) if ( balance < transaction . amount ) { throw new Error ( 'Insufficient balance' ) } return true } Verification Steps Wallet signatures verified Transaction details validated Balance checks before transactions No blind transaction signing 10. Dependency Security Regular Updates

Check for vulnerabilities

npm audit

Fix automatically fixable issues

npm audit fix

Update dependencies

npm update

Check for outdated packages

npm outdated Lock Files

ALWAYS commit lock files

git add package-lock.json

Use in CI/CD for reproducible builds

npm ci

Instead of npm install

Verification Steps

Dependencies up to date

No known vulnerabilities (npm audit clean)

Lock files committed

Dependabot enabled on GitHub

Regular security updates

Security Testing

Automated Security Tests

// Test authentication

test

(

'requires authentication'

,

async

(

)

=>

{

const

response

=

await

fetch

(

'/api/protected'

)

expect

(

response

.

status

)

.

toBe

(

401

)

}

)

// Test authorization

test

(

'requires admin role'

,

async

(

)

=>

{

const

response

=

await

fetch

(

'/api/admin'

,

{

headers

:

{

Authorization

:

`

Bearer

${

userToken

}

`

}

}

)

expect

(

response

.

status

)

.

toBe

(

403

)

}

)

// Test input validation

test

(

'rejects invalid input'

,

async

(

)

=>

{

const

response

=

await

fetch

(

'/api/users'

,

{

method

:

'POST'

,

body

:

JSON

.

stringify

(

{

email

:

'not-an-email'

}

)

}

)

expect

(

response

.

status

)

.

toBe

(

400

)

}

)

// Test rate limiting

test

(

'enforces rate limits'

,

async

(

)

=>

{

const

requests

=

Array

(

101

)

.

fill

(

null

)

.

map

(

(

)

=>

fetch

(

'/api/endpoint'

)

)

const

responses

=

await

Promise

.

all

(

requests

)

const

tooManyRequests

=

responses

.

filter

(

r

=>

r

.

status

===

429

)

expect

(

tooManyRequests

.

length

)

.

toBeGreaterThan

(

0

)

}

)

Pre-Deployment Security Checklist

Before ANY production deployment:

Secrets

No hardcoded secrets, all in env vars

Input Validation

All user inputs validated

SQL Injection

All queries parameterized

XSS

User content sanitized

CSRF

Protection enabled

Authentication

Proper token handling

Authorization

Role checks in place

Rate Limiting

Enabled on all endpoints

HTTPS

Enforced in production

Security Headers

CSP, X-Frame-Options configured

Error Handling

No sensitive data in errors

Logging

No sensitive data logged

Dependencies

Up to date, no vulnerabilities

Row Level Security

Enabled in Supabase

CORS

Properly configured

File Uploads

Validated (size, type)

Wallet Signatures

Verified (if blockchain)

Resources

OWASP Top 10

Next.js Security

Supabase Security

Web Security Academy

Remember

Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.