Security Hardening 🛡️

Treat security as a living checklist—cover headers, dependencies, secrets, and monitoring.

Secure Headers 📬

Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy.
Set via middleware or Next config.

CSP with Nonces 🔒

Generate nonce per request; apply to inline scripts via next/headers.
Example: Content-Security-Policy: script-src 'self' 'nonce-ABC'; object-src 'none';.

Dependency Hygiene 🧼

Run npm audit, pnpm audit, or use GitHub Dependabot.
Pin versions; avoid abandoned packages.

Secrets Rotation 🔁

Store secrets in Vault, AWS Secrets Manager, Doppler.
Rotate tokens regularly; monitor access logs.

Rate Limiting & Bot Mitigation 🚧

Use Redis/Upstash to count requests per IP/token.
Enforce general + auth-specific quotas.
Add hCaptcha/Turnstile for suspicious flows.

WAF & Bot Protection 🕸️

Leverage Vercel Edge functions, Cloudflare rules, or AWS WAF.
Block known malicious IP ranges or user agents.

Audit Logs 🧾

Log admin actions, data exports, permission changes.
Store immutable logs in append-only storage (S3 + Glacier).

Analogy: security hardening is fortifying a castle—walls (headers), moats (rate limits), sentries (monitoring), and rotating shift schedules (secret rotation) keep invaders out.

Last updated on March 3, 2026

2.5 Assets & Styling 21.1 Upgrade & Maintenance