Next.js + NextAuth.js — SSO Security Hardening and Best Practices

By -

Next.js + NextAuth.js — SSO Security Hardening and Best Practices

This final post in the Next.js Frontend SSO series focuses on security and best practices for production-grade SSO. Even with a working authentication flow, neglecting security can lead to token leaks, session hijacking, or unauthorized access.

1️⃣ Secure session cookies

NextAuth.js stores session information in cookies (JWT or database sessions). Configure cookies properly:

  • httpOnly: prevents JavaScript access to cookies
  • secure: ensure cookies are sent only over HTTPS
  • SameSite: protect against CSRF (use "lax" or "strict")


cookies: {

  sessionToken: {

    name: `__Secure-next-auth.session-token`,

    options: {

      httpOnly: true,

      sameSite: 'lax',

      path: '/',

      secure: process.env.NODE_ENV === 'production'

    }

  }

}

2️⃣ Refresh token rotation

Refresh tokens should be rotated to prevent replay attacks. NextAuth.js allows you to implement token refresh in the jwt callback: 



async jwt({ token }) {

  if (Date.now() > token.expires) {

    const refreshed = await refreshAccessToken(token);

    token.accessToken = refreshed.accessToken;

    token.refreshToken = refreshed.refreshToken;

    token.expires = refreshed.expires;

  }

  return token;

}

> Always propagate the refreshed tokens to the session.

3️⃣ Minimum scope / least privilege

  • Only request the scopes your app actually needs
  • For API calls, never use a long-lived access token with excessive permissions
  • Limit manager or admin privileges to dedicated flows (like popup login)

4️⃣ Handle token expiration and logout

  • Always check token expiration before making API calls
  • Use automatic logout if a refresh fails or token is invalid
  • Clear cookies and session on logout to prevent stale sessions

5️⃣ Debugging and monitoring

Monitoring authentication flows helps detect anomalies early:

  • Log all login attempts and role verification failures
  • Enable DEBUG="next-auth:*" in development for detailed logs
  • Monitor refresh token failures and session expirations

6️⃣ CSRF and CORS considerations

  • NextAuth.js has built-in CSRF protection for sign-in requests
  • Always configure your backend APIs with proper CORS headers
  • For manager approval flows or popups, ensure postMessage only accepts trusted origins

7️⃣ Summary

By following these practices, your Next.js SSO flows become production-ready:

  • Secure session cookies
  • Refresh token rotation and propagation
  • Least privilege scopes
  • Token expiration handling and forced logout
  • Logging and monitoring
  • CSRF and CORS protections

This concludes the Next.js Frontend SSO Series. With these 7 posts, you now have a complete guide from basic setup to advanced flows, role management, popup approval, token handling, and security hardening.

Part of the Next.js Frontend SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more