Content Security Policy (CSP)

A strict CSP is your first line of defense against XSS. In Next.js, we configure this in next.config.js or via Middleware.

const cspHeader = `
  default-src 'self';
  script-src 'self' 'unsafe-eval' 'unsafe-inline';
  style-src 'self' 'unsafe-inline';
`

Rate Limiting

We use Upstash Redis to rate-limit server actions.