The boilerplate now includes a comprehensive security layer that protects every API route. Rate limiting is handled by Upstash Redis with category-based limits, so upload-heavy endpoints have tighter thresholds than general API calls. Each category tracks requests independently using sliding-window counters.
| Category | Limit |
|---|---|
| Upload | 10 / hour |
| 5 / hour | |
| Payments | 20 / hour |
| API | 100 / hour |
CORS protection uses environment-aware origin allowlists. In development, localhost origins are permitted. In production, only the configured domain is accepted -- no wildcards. All API inputs pass through a server-side sanitization layer that strips potential XSS payloads using regex-based detection before any data reaches the database or is rendered in responses.
Security headers are applied globally via Next.js middleware. The header set includes Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. All API route inputs are validated with Zod schemas before processing, providing runtime type safety at the boundary between client and server.
Contributors
Sascha Rahn