Skip to Content
DocsSecurity Guidelines

Security Guidelines

Deploying community platforms securely is critical to preventing malicious bots, abuse arrays, and unintended data leaks.

Environment Variables & Secrets

Never expose administrative tokens to the client environment. Ensure .env keys mapping to AWS/S3 or Database endpoints are isolated securely. If utilizing Next.js specific environment variables, anything beginning with NEXT_PUBLIC_ WILL be exposed to browser clients.

# DO NOT EXPOSE TO CLIENT
BETTER_AUTH_SECRET="..."   
DATABASE_URL="..."
REDIS_URL="..."

# SAFE TO EXPOSE TO CLIENT
NEXT_PUBLIC_APP_URL="https://community.yourdomain.com"

User Data Protection

We employ modern hashing standard structures out of the box via the Better-Auth integration plugins. Passwords are never stored in plaintext.

  • Session Tokens: Handled via secure, HttpOnly, SameSite=Lax cookies, negating standard XSS vectors.
  • PII Scrubbing: Our endpoint responses deliberately omit sensitive user context payloads (emails, phone numbers) when resolving populated author objects internally.

Rate Limiting (Redis)

All endpoints that permit unauthenticated hits or high-cost generation should be rate limited to prevent DDoS and Bot spam manipulation scenarios. We manage rate limiting across standard Next.js Middlewares leveraging Redis.

Default Limits

  • Post Creation (Questions & Answers): 10 per minute per IP.
  • Voting: 30 per minute per IP.
  • Generic Endpoint Hits: 60 per minute per IP.

Limit configurations can be adjusted manually in your codebase middleware scripts.

Cross-Origin Resource Sharing (CORS)

By default, the Community Engine operates strictly utilizing Same-Origin boundaries. External API consumptions initiated via standard fetch patterns from foreign origins will be blocked. If you intend on launching isolated mobile applications or third-party widgets communicating directly with the /api core, ensure you explicitly map safe origins within the Next.js API configs natively.

Markdown Sanitization (XSS Defense)

Since users post highly customized logic mapping strings through our markdown renderer elements natively on-screen:

  • Content sent to the database is parsed to HTML using marked.
  • It’s deeply sanitized utilizing strict whitelist tags bounded via sanitize-html to prevent arbitrary JavaScript injection.

Do not disable sanitization steps natively located during the server-action handlers under any circumstance.

API Reference