Skip to main content
Follow these security practices to protect your application and user data.

Authentication best practices

Always use Server Components for auth

app/dashboard/page.tsx

Implement proper logout

app/actions.ts

Validate return URLs

lib/return-url.ts

API key management

Never expose keys client-side

Rotate keys regularly

1

Generate new keys

Create new keys in Cloud Admin every 90 days or immediately if compromised.
2

Update production first

Set new keys in production environment variables and deploy.
3

Verify functionality

Test critical flows (login, API calls, AI features).
4

Revoke old keys

Only after confirming new keys work everywhere.

Monitor key usage

Regularly check Cloud Admin for:
  • Unexpected API key usage patterns
  • Failed authentication attempts
  • Rate limit violations

Input validation

Validate on client AND server

app/actions.ts

Sanitize user-generated content

components/user-content.tsx

Prevent SQL injection

Your Starter Kit doesn’t directly access databases. The Cloud API handles all data operations securely.
If you add custom backend logic, use parameterized queries.

HTTPS and transport security

Enforce HTTPS in production

middleware.ts

Configure secure headers

next.config.ts

Error handling

Never expose sensitive info in errors

Log errors without sensitive data

Dependency security

Regular updates

Monitor dependencies

Enable GitHub Dependabot:
  1. Repository Settings → Security & Analysis
  2. Enable Dependabot alerts
  3. Enable Dependabot security updates

Review before installing

Before adding new packages:
  • Check npm/GitHub stats (downloads, stars, last update)
  • Review open issues and security advisories
  • Check license compatibility
  • Consider bundle size impact

Session security

Set appropriate timeouts

Access tokens expire after 30 minutes. Implement refresh logic:
lib/auth-server.ts

Handle concurrent sessions

Decide your policy:
  • Allow multiple sessions (default)
  • Invalidate previous sessions on new login
  • Limit to N concurrent sessions
Implement in your login flow:
app/actions.ts

Rate limiting

Respect API rate limits

Implement client-side throttling

Security checklist

  • Server-side auth checks on protected pages
  • httpOnly cookies for tokens
  • Proper logout implementation
  • Return URL sanitization
  • Session timeout handling
  • Keys stored in environment variables
  • Server-side API calls only
  • Input validation client and server
  • Error messages don’t leak info
  • Rate limit handling
  • HTTPS enforced in production
  • Security headers configured
  • CORS properly configured
  • Cookie secure flags set
  • Dependencies regularly updated
  • No secrets in code or logs
  • User input sanitized
  • SQL injection prevention (if custom backend)
  • XSS prevention

Next steps

Security Config

Configure security settings

Environment Variables

Manage credentials securely