When working on an application in its infancy… I’m talking like MVP… security is not usually the first concern.
But security has been on my mind as I’m finally deploying this product in the wild (not localhost:3000 anymore woot).
Came across this prodct ARCJET, and started reading up. I’m enamored with the documentation that seems easy enough as far as implementation goes. I’m pretty much looking for reasons I should not use it. But then I found this article on securing self-hosted nextJS apps here: https://blog.arcjet.com/next-js-security-checklist/
The number one thing to be concerned with was dependencies. They mention tools to manage dependencies:
- Dependabot
- Socket
Dependabot is enabled via settings in your GitHub repo. Got some alerts already.
Socket was pretty easy to install and test.
I saw 4 entries from one PR.
I did introduce 2 new packages which are mentioned below.
I’m just getting into Socket but this is what it looks like when you choose a report.
I’m unclear what the graphic is on top and how it relates.
Perhaps its the alerts for the dependencies. The stacks kind of make sense in that context. If I’m correct, thats a really interesting visualization.
The next security issue to be concerned with is handling untrusted user input & preventing XSS attacks.