Next.js
Nonce-Based CSP in Next.js 16: Middleware to proxy.ts
Implementing nonce-based Content Security Policy in Next.js 16 using proxy.ts instead of middleware.ts. Full code, CSP directives, common mistakes.
Security
Security
IDOR Prevention Checklist for Next.js + Supabase APIs
An IDOR slipped past code review during a billing rewrite. Here is the 6-point checklist and defense-in-depth approach I now use on every pull request.
Security
AES-256-GCM Encryption for PII in Node.js — 4 Gotchas
How to encrypt SSNs and PII at rest with AES-256-GCM in TypeScript. Covers key rotation traps, IV reuse, auth tags, and a full production implementation.