--- title: Guard category: product entity_type: skill price: $15 canonical: https://forgehouse.ai/skills/guard/ lang: en hreflang_alt: https://forgehouse.ai/tr/skiller/guard/ last_updated: 2026-06-20 --- # Guard > Security hardening and authentication patterns for authorization, OWASP compliance… A security hardening playbook for modern web apps that layers authentication, authorization, and input validation into a defense-in-depth stack. It covers NextAuth v5 setup, resource ownership checks, role-based access control, Zod validation, security headers, and OWASP Top 10 prevention: all built on fail-secure, least-privilege, and zero-trust principles so a single broken layer never exposes the whole system. ## Use cases - Set up authentication with credentials, GitHub, and Google providers - Enforce resource ownership checks before any access - Implement role-based access control with permission gates - Validate and sanitize all input with Zod schemas - Configure HSTS, frame options, and other security headers - Prevent OWASP Top 10 risks: injection, XSS, CSRF, and data exposure ## Benefits - Stop privilege escalation by verifying ownership, not just authentication - Avoid leaking account existence with 404-not-403 and generic error messages - Keep secrets out of code and sensitive fields out of responses - Block injection, XSS, and CSRF with parameterized queries and origin checks ## What’s included - NextAuth v5 config, route handlers, and protected-route middleware - Resource ownership and RBAC permission helper patterns - Zod schemas for users, content sanitization, IDs, and pagination - Security header set with HSTS, X-Frame-Options, and Permissions-Policy - OWASP Top 10 prevention snippets for injection, auth, XSS, and CSRF - Security checklist and red-flag table with resolutions ## Who it’s for For full-stack developers securing Next.js apps who want a concrete, layered security baseline covering auth, authorization, validation, and OWASP defenses. ## How it runs Hardening a Next.js app runs in layers: NextAuth configured properly, authorization that returns 404 instead of revealing resources, Zod at every boundary, security headers locked in config, and an OWASP sweep against a 13-point checklist. 1. Sets up NextAuth v5 properly: OAuth providers plus a Credentials provider whose authorize function validates input with Zod and compares against a bcrypt hash (cost 12), JWT session strategy, and middleware that redirects unauthenticated users off protected paths. 2. Layers authorization on top of authentication: every resource access checks ownership and returns 404 instead of 403 so the resource's existence is never revealed, and an RBAC permission table (user/moderator/admin) gates write and manage operations. 3. Validates all input at the boundary with Zod safeParse: schemas for users, IDs (UUID), pagination and HTML content stripping, so nothing typed by a client reaches business logic unchecked. 4. Installs the security header set in next.config: HSTS with preload, X-Frame-Options, nosniff, referrer policy and a permissions policy locking camera, microphone and geolocation. 5. Sweeps the OWASP Top 10 with concrete fixes: parameterized queries only, no string-built SQL; DOMPurify before any dangerouslySetInnerHTML; origin verification on POST routes for CSRF; sensitive fields like hashedPassword never selected into a response. 6. Closes with the 13 point checklist and red flag scan: missing await auth() calls, passwords in responses, hardcoded secrets, error messages leaking internals, and login endpoints without a rate limiter. ## FAQ ### How much of this playbook depends on NextAuth v5 and Next.js middleware, and how much can I carry to any stack? The examples are built on NextAuth v5, route handlers, and Next.js middleware, so Next.js projects get the most direct value. Zod validation, security headers, and the OWASP principles transfer elsewhere, but you'd port the code yourself. ### We already have login, how does this stop privilege escalation beyond that? Authentication alone isn't authorization. The patterns verify resource ownership before every access and add role-based permission gates, while the 404-not-403 convention avoids even leaking that an account exists. ### If I implement all of this, can I skip a penetration test? No. This is a layered hardening baseline with a checklist: it raises the floor, but it doesn't replace an independent pentest or security audit. The two complement each other. ## Price $15, one-time, no subscription. VAT included. Related guide: [AI for application security](https://forgehouse.ai/guides/ai-application-security/)