Next.js
Nonce-Based CSP in Next.js 16: Middleware to proxy.ts
Implementing nonce-based Content Security Policy in Next.js 16 using proxy.ts instead of middleware.ts. Full code, CSP directives, common mistakes.
Next.js
Supabase
Supabase RLS Gotchas: Triggers, FK SET NULL, Migrations
Three non-obvious Supabase RLS gotchas — SECURITY DEFINER triggers, FK SET NULL needing UPDATE policies, and partial migrations — with SQL fixes for each.
Security
IDOR Prevention Checklist for Next.js + Supabase APIs
An IDOR slipped past code review during a billing rewrite. Here is the 6-point checklist and defense-in-depth approach I now use on every pull request.
Security
AES-256-GCM Encryption for PII in Node.js — 4 Gotchas
How to encrypt SSNs and PII at rest with AES-256-GCM in TypeScript. Covers key rotation traps, IV reuse, auth tags, and a full production implementation.
Next.js
Framer Motion Strips background Shorthand — Fix Gradients
Framer Motion silently strips the CSS background shorthand on motion.div components. Use backgroundImage instead. A debugging story with the one-line fix.
Next.js
Promise.race Timeout Guard for External API Calls
Use Promise.race to add timeout guards to every external API call in serverless functions. Prevent silent 504s on Vercel, Lambda, and Cloudflare Workers.
Next.js
Fire-and-Forget Trap: Serverless Async Bugs on Vercel
3 production bugs with the same root cause: un-awaited async at Vercel request boundaries. How fire-and-forget silently breaks on serverless and the fix.