Security

next-api-layer includes a comprehensive security system with multiple layers of protection. This page covers all security features and their configuration.

Overview#

The security system provides:

CSRF Protection - Prevents cross-site request forgery attacks
Rate Limiting - Protects against brute force and DDoS attacks
XSS Sanitization - Cleans malicious content from responses
Audit Logging - Tracks security events for compliance and debugging

CSRF Protection#

Cross-Site Request Forgery (CSRF) protection prevents malicious sites from making requests on behalf of authenticated users.

Configuration#

TypeScript

Strategies#

fetch-metadata

Uses Sec-Fetch-* headers (modern browsers only).

TypeScript

Validates:

Sec-Fetch-Site: Must be same-origin or same-site
Sec-Fetch-Mode: Checked for navigation vs. API requests

Pros: No token management needed Cons: Not supported in older browsers

double-submit

Classic double-submit cookie pattern.

TypeScript

How it works:

Server sets a CSRF cookie with a random token
Client must send the same token in a header
Server validates that cookie value matches header value

Client-side usage:

TypeScript

both

Combines both strategies for maximum compatibility.

TypeScript

Validates:

First checks Sec-Fetch-* headers (if available)
Then falls back to double-submit validation

Recommended for production.

Trust Same-Site#

TypeScript

When enabled, requests with Sec-Fetch-Site: same-origin skip CSRF validation.

Ignore Methods#

TypeScript

Safe methods that don't need CSRF protection.

Rate Limiting#

Protects your API from abuse by limiting the number of requests per time window.

Configuration#

TypeScript

Options#

windowMs

Time window in milliseconds.

TypeScript

maxRequests

Maximum requests allowed per window.

TypeScript

keyFn

Function to generate rate limit key. Defaults to IP address.

TypeScript

skipRoutes

Routes to exclude from rate limiting.

TypeScript

onRateLimited

Custom response when rate limited.

TypeScript

Headers#

Rate limit information is included in response headers:

XSS Sanitization#

The API client automatically sanitizes response data to prevent XSS attacks.

Configuration#

TypeScript

How It Works#

All string values in API responses are sanitized:

TypeScript

Allowed Tags#

Specify which HTML tags are safe:

TypeScript

Skip Fields#

Fields that should not be sanitized (use with caution):

TypeScript

Custom Sanitizer#

TypeScript

Audit Logging#

Track security-relevant events for compliance, debugging, and monitoring.

Configuration#

TypeScript

Event Types#

Event	Description
`auth:success`	User successfully authenticated
`auth:fail`	Authentication failed
`auth:refresh`	Token was refreshed
`auth:guest`	Guest token was created
`access:denied`	Access to protected route denied
`csrf:fail`	CSRF validation failed
`rateLimit:exceeded`	Rate limit exceeded
`error`	An error occurred

Event Structure#

TypeScript

Logger Examples#

Console Logger

TypeScript

Database Logger

TypeScript

External Service

TypeScript

Security Best Practices#

TypeScript

Environment-Specific Settings#

TypeScript

Protect Sensitive Routes#

TypeScript

Rate Limit Sensitive Endpoints#

TypeScript

Security Headers#

The proxy automatically sets security headers:

To customize:

TypeScript

Security

next-api-layer includes a comprehensive security system with multiple layers of protection. This page covers all security features and their configuration.

Overview#

The security system provides:

CSRF Protection - Prevents cross-site request forgery attacks
Rate Limiting - Protects against brute force and DDoS attacks
XSS Sanitization - Cleans malicious content from responses
Audit Logging - Tracks security events for compliance and debugging

CSRF Protection#

Cross-Site Request Forgery (CSRF) protection prevents malicious sites from making requests on behalf of authenticated users.

Configuration#

TypeScript

Strategies#

fetch-metadata

Uses Sec-Fetch-* headers (modern browsers only).

TypeScript

Validates:

Sec-Fetch-Site: Must be same-origin or same-site
Sec-Fetch-Mode: Checked for navigation vs. API requests

Pros: No token management needed Cons: Not supported in older browsers

double-submit

Classic double-submit cookie pattern.

TypeScript

How it works:

Server sets a CSRF cookie with a random token
Client must send the same token in a header
Server validates that cookie value matches header value

Client-side usage:

TypeScript

both

Combines both strategies for maximum compatibility.

TypeScript

Validates:

First checks Sec-Fetch-* headers (if available)
Then falls back to double-submit validation

Recommended for production.

windowMs

Time window in milliseconds.

TypeScript

maxRequests

Maximum requests allowed per window.

TypeScript

keyFn

Function to generate rate limit key. Defaults to IP address.

TypeScript

skipRoutes

Routes to exclude from rate limiting.

TypeScript

onRateLimited

Custom response when rate limited.

TypeScript

Event	Description
`auth:success`	User successfully authenticated
`auth:fail`	Authentication failed
`auth:refresh`	Token was refreshed
`auth:guest`	Guest token was created
`access:denied`	Access to protected route denied
`csrf:fail`	CSRF validation failed
`rateLimit:exceeded`	Rate limit exceeded
`error`	An error occurred

Event Structure#

TypeScript

Logger Examples#

Console Logger

TypeScript

Database Logger

TypeScript

External Service

TypeScript