Security Guide

Learn about the security measures implemented in Nexset and how to enhance your application's security.

Security Headers

Add the following security headers to your next.config.js file to improve your application's security:

const nextConfig = {
  ...
  async headers() { 
    return [
      {
        source: "/(.*)",
        headers: [
          {
            key: "Strict-Transport-Security",
            value: "max-age=31536000; includeSubDomains; preload",
          },
          {
            key: "X-Frame-Options",
            value: "DENY",
          },
          {
            key: "X-Content-Type-Options",
            value: "nosniff",
          },
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
        ],
      },
    ];
  }
};

module.exports = nextConfig;

Security Headers Explained

  • 1

    Strict-Transport-Security: Enables HSTS, forcing browsers to use HTTPS

  • 2

    X-Frame-Options: Prevents clickjacking attacks

  • 3

    X-Content-Type-Options: Prevents MIME type sniffing

  • 4

    Referrer-Policy: Controls how much referrer information is sent

API Route Validation

It's crucial to validate data in your API routes. Nexset uses Zod for schema validation. Here's an example of how to implement it:

import { NextResponse } from "next/server";
import { z } from "zod";

const schema = z.object({
  email: z.string().email(),
});

export async function POST(request) {
  const { email } = await request.json();

  const isValidEmail = schema.safeParse(email);

  if (!isValidEmail.success) {
    return NextResponse.json({ error: "Invalid email" }, { status: 400 });
  }

  return NextResponse.json({ email: isValidEmail.data });
}

Tips

  • 1

    Always validate input data using Zod schemas

  • 2

    Keep dependencies up to date

  • 3

    Use environment variables for sensitive data

  • 4

    Implement rate limiting on API routes

  • 5

    Regular security audits and updates