Security model

ShipVeryFast ships secure by default. Here are the protections built into the boilerplate and how to configure them.

Rate limiting

API routes are rate limited in middleware.ts with tiered limits: stricter on auth and sensitive operations (password, email, subscription), looser on general endpoints. Tune the magic-link limits with RATE_LIMIT_MAGICLINK_MAX and RATE_LIMIT_MAGICLINK_DURATION.

CSRF protection

Non-GET API requests are checked for same-origin and a signed CSRF token (x-csrf-token). Tokens are HMAC-signed with CSRF_SECRET and verified in constant time. Fetch a token from /api/csrf-token; the useCSRF hook handles this automatically on the client.

Security headers

A Content-Security-Policy and the usual hardening headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are applied in next.config.js. Headers are baked at build time, so a CSP change requires a rebuild.

Input validation & sanitization

Environment variables are validated with Zod at startup (libs/config.ts) so misconfiguration fails fast. Request bodies are validated per-route, and user-supplied HTML is sanitized with DOMPurify before rendering.

Audit logging

Security events (rate-limit hits, CSRF failures, auth events) are recorded through a runtime-aware security logger, written to file in the Node runtime and streamed to the platform log in the Edge runtime, so the same call works in middleware and API routes alike.

Admin access

Security endpoints (/api/security/audit, /api/security/alerts) are gated to an admin allowlist via ADMIN_EMAILS (comma-separated). It fails closed: if unset, no user is treated as admin.