# Next.js Security Audit - Comprehensive Vulnerability Scanner and Fixer
## Development Philosophy
- **Security First**: Every line of code should be written with security in mind
- **Minimal Attack Surface**: Reduce exposure by implementing least privilege principles
- **Defense in Depth**: Layer security controls to prevent single points of failure
- **Practical Over Perfect**: Focus on high-impact, implementable fixes
- **Continuous Monitoring**: Security is not a one-time activity but an ongoing process
## 🔍 Phase 1: Automated Security Scan
Systematically analyze the codebase for vulnerabilities. For each finding, provide:
```
📍 Location: [filename:line]
🚨 Severity: [CRITICAL|HIGH|MEDIUM|LOW]
🔓 Issue: [Clear description]
💥 Impact: [What could happen]
```
### Priority Scan Areas
#### Authentication & Authorization
- JWT implementation flaws
- Session management issues
- Missing auth middleware on protected routes
- Insecure password reset flows
- OAuth misconfigurations
- Missing role-based access control (RBAC)
- Privilege escalation vulnerabilities
#### API Security
- Unprotected API routes (`/api/*` without auth checks)
- Missing CSRF protection
- Lack of rate limiting
- Input validation gaps
- SQL/NoSQL injection risks
- Mass assignment vulnerabilities
- GraphQL specific vulnerabilities (if applicable)
- Missing API versioning strategy
#### Next.js Specific Vulnerabilities
- Exposed server components with sensitive logic
- Client-side environment variables containing secrets
- Improper use of `dangerouslySetInnerHTML`
- Missing security headers in `next.config.js`
- Insecure redirects and open redirects
- Server actions without proper validation
- Middleware bypass vulnerabilities
- Static generation exposing sensitive data
#### Data Exposure
- Sensitive data in client components
- API responses leaking internal data
- Error messages exposing system info
- Unfiltered database queries
- Missing data sanitization
- Logging sensitive information
- Exposed user PII in URLs or localStorage
#### Configuration Issues
- Hardcoded secrets or API keys
- Insecure CORS settings
- Missing Content Security Policy
- Exposed `.env` variables on client
- Debug mode in production
- Verbose error reporting
- Missing HTTPS enforcement
## 📊 Phase 2: Risk Assessment & Remediation Plan
### Vulnerability Analysis Template
```markdown
### [Issue Name]
**Risk Level**: [CRITICAL/HIGH/MEDIUM/LOW]
**CVSS Score**: [0.0-10.0]
**CWE ID**: [Common Weakness Enumeration ID]
**Attack Vector**:
1. [Step-by-step exploitation scenario]
2. [Tools/techniques required]
3. [Skill level needed]
**Business Impact**:
- Data breach potential: [Yes/No - what data]
- Service disruption: [Yes/No - how]
- Compliance violation: [GDPR/PCI/HIPAA/SOC2 if applicable]
- Reputation damage: [High/Medium/Low]
- Financial impact: [Estimated range]
**Recommended Fix**:
[Minimal, practical solution with code example]
**Alternative Solutions**:
[If multiple approaches exist]
**Implementation Effort**: [Hours/Days]
**Breaking Changes**: [Yes/No - what might break]
**Dependencies**: [New packages or services required]
```
## 🔧 Phase 3: Secure Code Implementation
### Fix Template
```diff
// File: [path/to/file]
// Issue: [Brief description]
// CWE: [CWE-XXX]
- [old insecure code]
+ [new secure code]
// Test coverage required:
// - [Unit test scenario]
// - [Integration test scenario]
```
### Verification Checklist
- [ ] Fix addresses the root cause
- [ ] No new vulnerabilities introduced
- [ ] Backward compatibility maintained
- [ ] Performance impact assessed (<5% degradation)
- [ ] Error handling preserved
- [ ] Logging added for security events
- [ ] Documentation updated
- [ ] Tests written and passing
## 🎯 Next.js Security Checklist
Rate each area:
- ✅ Secure
- ⚠️ Needs improvement
- ❌ Critical issue
### Core Security
- [ ] All API routes have authentication
- [ ] Rate limiting implemented (e.g., with `next-rate-limit`)
- [ ] CSRF tokens on state-changing operations
- [ ] Input validation with `zod` or similar
- [ ] SQL queries use parameterization
- [ ] XSS prevention in place
- [ ] File upload restrictions implemented
- [ ] Security event logging configured
### Next.js Configuration
- [ ] Security headers in `next.config.js`
- [ ] Environment variables properly split (server vs client)
- [ ] Content Security Policy configured
- [ ] HTTPS enforced in production
- [ ] Source maps disabled in production
- [ ] Strict TypeScript configuration
- [ ] Middleware security rules implemented
- [ ] API routes follow RESTful security practices
### Authentication & Session Management
- [ ] Secure session management (httpOnly, secure, sameSite cookies)
- [ ] Password hashing with bcrypt/argon2 (cost factor ≥ 12)
- [ ] Account lockout mechanisms (after 5 failed attempts)
- [ ] Secure password reset flow (time-limited tokens)
- [ ] 2FA/MFA support implemented
- [ ] Session timeout configured
- [ ] Secure "Remember Me" functionality
- [ ] Logout properly clears all session data
### Data Protection
- [ ] Sensitive data encrypted at rest
- [ ] PII data minimization practiced
- [ ] Data retention policies implemented
- [ ] Secure data deletion procedures
- [ ] Audit trails for sensitive operations
- [ ] GDPR compliance measures
## 📋 Executive Summary Format
```markdown
# Security Audit Report - [Date]
## Critical Findings
[Number] critical vulnerabilities requiring immediate attention
## Risk Matrix
| Category | Critical | High | Medium | Low |
|----------|----------|------|---------|-----|
| Auth | X | X | X | X |
| API | X | X | X | X |
| Data | X | X | X | X |
| Config | X | X | X | X |
## Summary by Category
- Authentication: [X issues] - [Brief description]
- API Security: [X issues] - [Brief description]
- Data Protection: [X issues] - [Brief description]
- Configuration: [X issues] - [Brief description]
## Remediation Timeline
- Immediate (24h): [List critical fixes]
- Short-term (1 week): [List high priority]
- Medium-term (1 month): [List medium priority]
- Long-term (3 months): [List low priority]
## Required Resources
- Developer hours: [Estimate by priority]
- Third-party tools: [List with costs]
- Testing requirements: [Scope and timeline]
- Training needs: [Security awareness topics]
## Compliance Status
- [ ] OWASP Top 10 addressed
- [ ] GDPR requirements met
- [ ] Industry standards compliance
```
## 🚀 Quick Wins
Identify 5-10 fixes that can be implemented immediately with high security impact:
1. **Enable rate limiting** on all API routes
2. **Add security headers** to next.config.js
3. **Implement input validation** using Zod schemas
4. **Enable CSRF protection** for mutations
5. **Remove console.logs** containing sensitive data
## 🛡️ Security Code Patterns
### Secure API Route Template
```typescript
// app/api/secure-endpoint/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';
import { verifyAuth } from '@/lib/auth';
import { rateLimit } from '@/lib/rate-limit';
import { csrf } from '@/lib/csrf';
const schema = z.object({
// Define your input schema
});
export async function POST(req: NextRequest) {
// Rate limiting
const rateLimitResult = await rateLimit(req);
if (!rateLimitResult.success) {
return NextResponse.json({ error: 'Too many requests' }, { status: 429 });
}
// Authentication
const auth = await verifyAuth(req);
if (!auth.authenticated) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
// CSRF protection
const csrfValid = await csrf.verify(req);
if (!csrfValid) {
return NextResponse.json({ error: 'Invalid CSRF token' }, { status: 403 });
}
// Input validation
const body = await req.json();
const validationResult = schema.safeParse(body);
if (!validationResult.success) {
return NextResponse.json({
error: 'Validation failed',
details: validationResult.error.flatten()
}, { status: 400 });
}
try {
// Business logic here
return NextResponse.json({ success: true });
} catch (error) {
// Log error securely (no sensitive data)
console.error('API error:', {
endpoint: '/api/secure-endpoint',
userId: auth.userId,
timestamp: new Date().toISOString()
});
return NextResponse.json({
error: 'Internal server error'
}, { status: 500 });
}
}
```
### Security Headers Configuration
```javascript
// next.config.js
const securityHeaders = [
{
key: 'X-DNS-Prefetch-Control',
value: 'on'
},
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload'
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'X-XSS-Protection',
value: '1; mode=block'
},
{
key: 'Referrer-Policy',
value: 'origin-when-cross-origin'
},
{
key: 'Content-Security-Policy',
value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
}
];
module.exports = {
async headers() {
return [
{
source: '/:path*',
headers: securityHeaders,
},
];
},
};
```
## Remember
- Security is everyone's responsibility
- The best security is invisible to users
- Document security decisions for future reference
- Regular security audits are essential
- Stay updated with the latest security advisories