Security best practices for React/Next.js - XSS, CSRF, authentication, and API security
Scanned 6/14/2026
Install via CLI
Skills Directoryopenskills install fratilanico/apex-os-bad-boy---
name: security-best-practices
description: Security best practices for React/Next.js - XSS, CSRF, authentication, and API security
tier: CRITICAL
value_tier: production
tags: [security, authentication, best-practices]
entitlements: { product_tiers: [all], agent_access: [all] }
---
# Security Best Practices
## Authentication
### Secure Session Management
- Use HTTP-only, Secure cookies
- Implement CSRF protection
- Set appropriate cookie expiry
- Rotate tokens regularly
### Password Handling
- Never store plain text passwords
- Use strong hashing (bcrypt, argon2)
- Implement rate limiting on login
- Add captcha for failed attempts
## Data Protection
### Input Validation
```typescript
import { z } from 'zod'
const UserSchema = z.object({
email: z.string().email(),
password: z.string().min(8).max(100),
name: z.string().max(100)
})
```
### SQL Injection Prevention
- Use parameterized queries
- Never concatenate user input to queries
- Use ORM/Query Builder
## XSS Prevention
### React Protection
- React escapes by default
- Use dangerouslySetInnerHTML sparingly
- Sanitize user input
- Use Content Security Policy
## API Security
### Rate Limiting
```typescript
import { rateLimit } from './lib/rate-limit'
export async function POST(req: Request) {
const ip = req.headers.get('x-forwarded-for') || 'unknown'
const { success } = await rateLimit.limit(ip)
if (!success) {
return new Response('Too Many Requests', { status: 429 })
}
// Process request
}
```
### CORS Configuration
```typescript
// Only allow specific origins
export default function handler(req, res) {
res.setHeader('Access-Control-Allow-Origin', 'https://yoursite.com')
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
res.setHeader('Access-Control-Allow-Credentials', 'true')
}
```
## Environment Variables
- Never commit secrets to git
- Use .env.local for local development
- Use Vercel env vars for production
- Prefix sensitive variables (e.g., NEXT_PUBLIC_ only for public)
No comments yet. Be the first to comment!
SEO optimization with keyword analysis, readability assessment, technical validation, content quality. Use for search rankings, blog posts, content audits, or encountering keyword density, readability scores, meta tags, schema markup errors.
Python backend development expertise for FastAPI, security patterns, database operations, Upstash integrations, and code quality. Use when: (1) Building REST APIs with FastAPI, (2) Implementing JWT/OAuth2 authentication, (3) Setting up SQLAlchemy/async databases, (4) Integrating Redis/Upstash caching, (5) Refactoring AI-generated Python code (deslopification), (6) Designing API patterns, or (7) Optimizing backend performance.
Drive the full internationalization journey for a project — detect the stack, recommend a library, set up the chosen library, wrap existing strings, and optionally connect a translation platform. Use when the user asks to add or configure i18n, internationalization, localization, multi-language support, or translations — including when they explicitly mention LinguiJS, Lingui, next-intl, "wrap strings", "find hardcoded text", "make my app translatable", or "set up translations". Triggers on g...
Use this skill when developing or maintaining browser extension code in the `browser/` directory, including Chrome/Firefox/Edge compatibility, content scripts, background scripts, or i18n updates.
PTES-aligned adversarial security audit for backend, frontend, and mobile applications. Produces a CVSS-scored Hacker Report with verified PoCs and phased remediation.
