← ClaudeAtlas

nextjs-securitylisted

Security audit specific to Next.js applications including App Router and Pages Router, Server Actions, middleware, Route Handlers, Server Components, environment variable exposure (NEXT_PUBLIC_), getServerSideProps/getStaticProps secret leakage, Image Optimization SSRF, and Next.js-specific authentication patterns. Use this skill whenever the user mentions Next.js, App Router, Pages Router, Server Actions, RSC, server components, middleware.ts, route handlers, NEXT_PUBLIC_, Vercel deployment patterns, next.config.js, or asks "audit my Next.js app", "is my middleware safe", "Server Actions security", "Next.js auth review". Trigger when the codebase contains a `next.config.js`/`next.config.mjs`/`next.config.ts` file, `app/` directory with `page.tsx` files, or `pages/` directory with Next.js conventions.
hlsitechio/claude-skills-security · ★ 1 · Web & Frontend · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Next.js Security Audit Audit a Next.js application for framework-specific vulnerabilities. Covers App Router (13+) and Pages Router. Defensive focus. ## When this skill applies - Reviewing Next.js apps for security issues - Auditing Server Actions, Route Handlers, middleware - Reviewing environment variable usage (the `NEXT_PUBLIC_` trap) - Checking authentication patterns specific to Next.js - Identifying SSRF in `next/image` configurations - Auditing the differences between Server and Client Components Use other skills for: generic React patterns (`react-security`), backend services Next calls (`nodejs-express-security` etc.), auth providers (`clerk-security`, `nextauth-security`), Vercel platform settings (`vercel-platform-security`). ## Workflow Follow `../_shared/audit-workflow.md`. Next.js-specific notes below. ### Phase 1: Stack detection - Next.js version (13, 14, 15 — App Router behaviors differ) - Router model: App Router (`app/`), Pages Router (`pages/`), or hybrid - Deployment target: Vercel, self-hosted Node, edge runtime, static export - Auth: NextAuth/Auth.js, Clerk, custom JWT, Supabase Auth, other ### Phase 2: Inventory ```bash # Layout find . -name 'next.config.*' -not -path '*/node_modules/*' find app -type f \( -name 'page.tsx' -o -name 'route.ts' -o -name 'layout.tsx' \) 2>/dev/null | head -20 find pages -type f \( -name '*.tsx' -o -name '*.ts' \) 2>/dev/null | head -20 # Server Actions (App Router) grep -rn "'use server'" app/ src/ 2>/dev/nu