flowCreate.solutions

Security Overview (Frontend Standard)

This document defines the baseline frontend security posture for Flow Create Solutions Next.js applications.

Security philosophy

Implement defense-in-depth:

  1. Safe rendering by default (React escaping; no unsafe HTML sinks)
  2. Authentication (backend-issued JWTs stored in HttpOnly cookies; never in localStorage)
  3. Authorization (server-side enforcement; UI checks are not security)
  4. CSRF protection (required for unsafe methods when using cookies)
  5. Security headers (CSP/referrer policy, etc.)
  6. Secrets/PII hygiene (env vars, logging, analytics)
  7. Automation (dependency scanning + secret scanning)

Non-negotiables

  • No bearer tokens in localStorage / sessionStorage.
  • All state-changing requests (POST/PUT/PATCH/DELETE) must be CSRF protected at the BFF layer.
  • The browser must only call same-origin BFF endpoints (/api/v1/...). It must not call Railway internal/private hostnames.

BFF is part of the security boundary

Next.js Route Handlers are responsible for:

  • validating CSRF
  • reading HttpOnly cookies server-side
  • attaching backend auth (Authorization: Bearer <access_jwt>) server-side
  • preventing sensitive error leakage

What belongs in project docs (not standards)

Project repos must document:

  • the exact cookie names and TTLs
  • which endpoints are unsafe (mutating) and require CSRF (default: all unsafe methods)
  • exact security header config for that app (CSP often varies by product needs)