nextjs-securitylisted

# Next.js Security ## When to use This skill is the Next.js-specific layer on top of `secure-coding` and `api-security`. Next.js has gone through several architectural shifts in recent years (Pages Router, App Router, Server Actions, middleware evolution), and the security implications shift with them. It is also used by teams that do not have a sharp line between front-end and back-end — and that is exactly where bugs live. Triggers on: - A question like "review our Next.js app", "CVE-2025-29927 impact", "make Server Actions safe", "auth.js/NextAuth config review", "middleware auth", "SSR is leaking data into the client bundle", "image optimization SSRF". - Presence of `next.config.js`/`.mjs`/`.ts`, `middleware.ts` in the project root, an `app/` directory with `page.tsx` and `layout.tsx`, `pages/` (older router), `"use server"` or `"use client"` directives, NextAuth/auth.js config. - A PR that touches middleware, adds Server Actions, converts API routes to Server Actions, or changes auth.js config. - Next.js version bumps, especially around security releases. - Handoff from `security-review` or `api-security` when Next.js is in the stack. ### When NOT (handoff) - General JS/TS secure-coding → `secure-coding`. - OWASP API Top 10 as a conceptual framework → `api-security`. Here for the Next.js implementation. - SAST tooling (eslint-plugin-security, Semgrep `p/javascript`) → `sast-orchestrator`. - Dep vulns in `package.json` / `package-lock.json` → `cve-triage`. - Vercel/