- Home
- Skills
- Vishalsachdev
- Claude Skills
- Secure Nextjs Api Routes
secure-nextjs-api-routes_skill
- Python
1
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill vishalsachdev/claude-skills --skill secure-nextjs-api-routes- SKILL.md19.3 KB
Overview
This skill provides a comprehensive, composable security middleware system for Next.js 13+ App Router API routes. It bundles authentication checks, Supabase-backed rate limiting, CSRF double-submit protection, audit logging, request validation, and secure response headers into a production-ready pattern. Use it to harden API endpoints against common web attacks while keeping middleware usage simple and consistent.
How this skill works
The middleware wraps route handlers and enforces configured guards before and after the handler runs. It verifies allowed HTTP methods, optionally enforces authentication via Supabase, and applies per-endpoint rate limits stored in a Supabase table. For state-changing requests it validates CSRF tokens using a secure cookie + request header double-submit pattern. Successful responses get security headers and optionally a fresh CSRF token injected. Security events and rate-limit hits are written to an audit_logs table.
When to use it
- Protect new or existing Next.js App Router API routes against common web threats
- Require user authentication for sensitive endpoints using Supabase auth
- Apply granular rate limits for anonymous or authenticated clients
- Defend POST/PUT/PATCH/DELETE endpoints from CSRF attacks
- Generate audit trails for security events like unauthorized access or rate-limit breaches
Best practices
- Pick a SECURITY_PRESET that matches endpoint risk (PUBLIC, AUTHENTICATED, STRICT) and override per-route as needed
- Store rate limit and audit tables in Supabase and keep retention policies to avoid unbounded growth
- Enable csrfProtection for all state-changing operations and rotate tokens periodically
- Set environment NEXT_PUBLIC_BASE_URL and run in production mode to enforce secure cookie flags
- Limit maxBodySize to protect against large payload abuse and validate content-length early
Example use cases
- Protect an image upload endpoint with AUTHENTICATED preset and a tight maxBodySize
- Wrap user profile update routes with csrfProtection and audit logging to trace changes
- Rate-limit public API endpoints to 60 requests per minute using API_GENERAL preset
- Block non-allowed methods (e.g., only allow POST on a webhook endpoint) and return 405
- Log unauthorized access attempts to audit_logs and alert on repeated failures
FAQ
Yes — authentication, rate-limit storage, and audit logging rely on Supabase clients and tables. You can adapt storage calls for another backend but Supabase is the default.
How does CSRF protection work here?
It uses a double-submit cookie pattern: a secure, httpOnly cookie stores a token and the same token is expected in an X-CSRF-Token request header for state-changing requests.