Authentication best practices
Always use Server Components for auth
app/dashboard/page.tsx
Implement proper logout
app/actions.ts
Validate return URLs
lib/return-url.ts
API key management
Never expose keys client-side
Rotate keys regularly
Monitor key usage
Regularly check Cloud Admin for:- Unexpected API key usage patterns
- Failed authentication attempts
- Rate limit violations
Input validation
Validate on client AND server
app/actions.ts
Sanitize user-generated content
components/user-content.tsx
Prevent SQL injection
Your Starter Kit doesn’t directly access databases. The Cloud API handles all data operations securely.
HTTPS and transport security
Enforce HTTPS in production
middleware.ts
Configure secure headers
next.config.ts
Error handling
Never expose sensitive info in errors
Log errors without sensitive data
Dependency security
Regular updates
Monitor dependencies
Enable GitHub Dependabot:- Repository Settings → Security & Analysis
- Enable Dependabot alerts
- Enable Dependabot security updates
Review before installing
Before adding new packages:- Check npm/GitHub stats (downloads, stars, last update)
- Review open issues and security advisories
- Check license compatibility
- Consider bundle size impact
Session security
Set appropriate timeouts
Access tokens expire after 30 minutes. Implement refresh logic:lib/auth-server.ts
Handle concurrent sessions
Decide your policy:- Allow multiple sessions (default)
- Invalidate previous sessions on new login
- Limit to N concurrent sessions
app/actions.ts
Rate limiting
Respect API rate limits
Implement client-side throttling
Security checklist
Authentication
Authentication
- Server-side auth checks on protected pages
- httpOnly cookies for tokens
- Proper logout implementation
- Return URL sanitization
- Session timeout handling
API Security
API Security
- Keys stored in environment variables
- Server-side API calls only
- Input validation client and server
- Error messages don’t leak info
- Rate limit handling
Transport Security
Transport Security
- HTTPS enforced in production
- Security headers configured
- CORS properly configured
- Cookie secure flags set
Code Security
Code Security
- Dependencies regularly updated
- No secrets in code or logs
- User input sanitized
- SQL injection prevention (if custom backend)
- XSS prevention
Next steps
Security Config
Configure security settings
Environment Variables
Manage credentials securely

