Security

Rule

Rules for application security. The security-engineer agent reviews for OWASP compliance; these rules codify the baseline.

Authentication & Sessions

For Clerk, WorkOS, and provider-specific rules, see auth.md.

  • MUSTStore auth tokens in httpOnly cookies, not localStorage or sessionStorage.
  • MUSTSet Secure, SameSite=Lax (or Strict) on auth cookies.
  • MUSTInvalidate sessions server-side on logout — don't just delete the client cookie.
  • MUSTVerify webhook signatures before processing payloads. Use the provider's SDK verification, not manual HMAC.
  • MUSTEnforce RBAC at the data layer (queries/mutations), not just at route or middleware level.
  • NEVERStore secrets, tokens, or API keys in client-accessible code or bundles.
  • SHOULDUse short-lived access tokens with refresh token rotation.
  • SHOULDRotate refresh tokens on each use (one-time use tokens).

Input & Output

  • MUSTValidate and sanitize all user input at system boundaries (API routes, server actions, form handlers).
  • SHOULDUse Zod schemas at every API boundary. See api.md.

CSRF & CORS

  • MUSTUse SameSite cookies or CSRF tokens for state-changing requests.
  • SHOULDPrefer server actions or SameSite=Lax cookies over manual CSRF tokens in Next.js.

Secrets

  • MUSTAll secrets live in environment variables, never in source code. See env.md.

Rate Limiting

  • SHOULDRate-limit authentication endpoints (login, signup, password reset).
  • SHOULDRate-limit expensive operations (file uploads, AI calls, email sends).
  • SHOULDReturn 429 Too Many Requests with Retry-After header.

Dependencies

  • SHOULDRun pnpm audit regularly. See stack.md for approved packages.