Skip to main content
Your Starter Kit application includes multiple security layers to protect user data and prevent unauthorized access.

Authentication security

JWT tokens

The Cloud API issues JSON Web Tokens for authentication: Access tokens:
  • Expire after 30 minutes
  • Stored in httpOnly cookies (devkit4ai-token)
  • Not accessible to JavaScript
  • Automatically included in API requests
Refresh tokens:
  • Expire after 7 days
  • Stored in httpOnly cookies (devkit4ai-refresh-token)
  • Used to obtain new access tokens
  • Revoked on logout
lib/auth-server.ts
Never store authentication tokens in localStorage or sessionStorage. Use httpOnly cookies to prevent XSS attacks.

API key security

Storage and handling

Environment variables:
  • Store keys in .env.local for development
  • Use hosting provider secrets for production
  • Never commit keys to version control
Server-side only:

Key rotation

1

Generate new keys

In Cloud Admin, create new developer and project API keys.
2

Update environment variables

Set new keys in your hosting provider and local .env.local.
3

Deploy and verify

Deploy with new keys and confirm application works.
4

Revoke old keys

In Cloud Admin, revoke the old keys after confirming new ones work.
Rotate API keys every 90 days or immediately if compromised.

Password security

The Cloud API enforces strong password requirements: Minimum requirements:
  • At least 8 characters
  • One uppercase letter
  • One lowercase letter
  • One digit
Client-side validation:
components/register-form.tsx
Server-side hashing: Passwords are hashed with bcrypt before storage (handled by Cloud API).

HTTPS enforcement

Production configuration

All production deployments must use HTTPS: Vercel, Netlify: Automatic HTTPS with free SSL certificates Custom domains:
  1. Configure SSL certificate
  2. Redirect HTTP to HTTPS
  3. Enable HSTS headers
Next.js middleware:
middleware.ts

CORS configuration

The Cloud API restricts cross-origin requests: Allowed origins:
  • Your registered domain(s)
  • localhost:* for development
Configure in Cloud Admin:
  1. Navigate to Project Settings
  2. Add allowed origins
  3. Wildcards supported for subdomains

Input validation

Always validate user input: Email addresses:
Sanitize display values:
Return URL validation:
lib/return-url.ts

Rate limiting

The Cloud API implements rate limits: Per project:
  • Authentication: 10 requests/minute
  • Data endpoints: 100 requests/minute
  • AI generation: 10 requests/minute
Handle rate limits:

Security headers

Configure security headers in next.config.ts:
next.config.ts

Dependency security

Keep dependencies updated:
Enable Dependabot:
  1. Go to GitHub repository settings
  2. Enable Dependabot alerts
  3. Configure automatic PR creation

Monitoring and logging

Never log sensitive data:
Log security events:
  • Failed login attempts
  • API key usage
  • Permission denials
  • Rate limit hits

Security checklist

  • All secrets in environment variables, not code
  • .env.local in .gitignore
  • Different keys for dev/staging/production
  • HTTPS enforced in production
  • JWT tokens in httpOnly cookies
  • Password validation client and server-side
  • Logout clears all tokens
  • Protected routes check authentication
  • API keys stored server-side only
  • Rate limiting implemented
  • Input validation on all forms
  • Error messages don’t leak sensitive info
  • Dependencies regularly updated
  • No sensitive data in logs
  • Security headers configured
  • CORS properly configured

Next steps

Best Practices

Security best practices

Environment Variables

Secure credential management