OWASP Top 10 for Next.js Apps: A Practical Hardening Checklist

## A01 — Broken Access Control - Use middleware to validate JWT/session on every protected route. - Never trust client-supplied IDs — re-verify ownership server-side. - Implement RBAC at the data layer, not just the route layer. ```typescript // middleware.ts export function middleware(request: NextRequest) { const token = request.cookies.get('session')?.value; if (!token) return NextResponse.redirect('/login'); // verify token, check role from DB } ``` ## A03 — Injection - Use parameterised queries (Prisma/Drizzle/pg) — never string-concatenate SQL. - Sanitise HTML with DOMPurify before rendering user content. - Validate all inputs with Zod at every API boundary. ## A05 — Security Misconfiguration Add security headers in `next.config.ts`: ```typescript headers: [{ key: 'X-Frame-Options', value: 'DENY' }, { key: 'X-Content-Type-Options', value: 'nosniff' }, { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains' }] ``` ## A09 — Security Logging and Monitoring Log every auth event (success + failure) with: timestamp, IP, user agent, user ID. Ship to a centralised SIEM (Elastic/Splunk). Alert on: 10+ failed logins in 60s, impossible travel, sensitive endpoint access outside business hours.