Skip to content

PrecogsAI/secure-nextjs-starter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
.github/workflows
.github/workflows
Β 
Β 
public
public
Β 
Β 
src/app
src/app
Β 
Β 
.gitignore
.gitignore
Β 
Β 
README.md
README.md
Β 
Β 
eslint.config.mjs
eslint.config.mjs
Β 
Β 
next.config.ts
next.config.ts
Β 
Β 
package-lock.json
package-lock.json
Β 
Β 
package.json
package.json
Β 
Β 
postcss.config.mjs
postcss.config.mjs
Β 
Β 
tsconfig.json
tsconfig.json
Β 
Β 

Repository files navigation

πŸ›‘οΈ Secure Next.js Starter

A production-ready Next.js 15 boilerplate with 7 security headers, CI/CD vulnerability scanning, and hardened defaults β€” all pre-configured so you can ship secure apps from day one.

Deploy with Vercel

What's Included

πŸ”’ Security Headers (via next.config.ts)

Header Value Protection
X-Content-Type-Options nosniff Prevents MIME-type sniffing
X-Frame-Options DENY Blocks clickjacking via iframes
Strict-Transport-Security max-age=63072000; includeSubDomains; preload Enforces HTTPS for 2 years
Referrer-Policy strict-origin-when-cross-origin Controls referrer data leakage
Permissions-Policy geolocation=(), microphone=(), camera=() Restricts browser API access
X-XSS-Protection 1; mode=block Enables browser XSS filtering
X-Permitted-Cross-Domain-Policies none Blocks Flash/PDF cross-domain access

Additionally, X-Powered-By is removed (poweredByHeader: false) to prevent server fingerprinting.

πŸ” CI/CD Security Scanning

A GitHub Actions workflow (.github/workflows/security.yml) runs automatically on every pull request:

  • Secret Detection β€” Catches API keys, tokens, and credentials before they're merged.
  • PII Scanning β€” Detects personally identifiable information in your codebase.
  • Dependency Auditing β€” Flags known vulnerabilities in your npm packages.

Powered by Precogs AI.

⚑ Modern Stack

  • Next.js 15 with App Router
  • TypeScript (strict mode)
  • Tailwind CSS v4
  • React Compiler enabled
  • ESLint pre-configured

Quick Start

# Clone
npx create-next-app@latest -e https://github.com/PrecogsAI/secure-nextjs-starter my-app

# Or clone directly
git clone https://github.com/PrecogsAI/secure-nextjs-starter.git
cd secure-nextjs-starter
npm install
npm run dev

Open http://localhost:3000.

Verify Your Headers

After deploying, scan your site at securityheaders.com to confirm all headers are active.

Project Structure

β”œβ”€β”€ .github/
β”‚   └── workflows/
β”‚       └── security.yml          # Precogs AI security scan on PRs
β”œβ”€β”€ src/
β”‚   └── app/
β”‚       β”œβ”€β”€ layout.tsx            # Root layout with SEO metadata
β”‚       β”œβ”€β”€ page.tsx              # Landing page
β”‚       └── globals.css           # Global styles
β”œβ”€β”€ next.config.ts                # Security headers configuration
β”œβ”€β”€ package.json
└── tsconfig.json

Customization

Adding Content-Security-Policy

CSP is not included by default because it varies per project. To add it, extend the securityHeaders array in next.config.ts:

{
  key: "Content-Security-Policy",
  value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;",
}

Upgrading the Security Scan

The included workflow uses the free tier. To enable deep code analysis, update .github/workflows/security.yml:

- uses: PrecogsAI/precogs-action@v1
  with:
    scan_type: pro
    api_key: ${{ secrets.PRECOGS_API_KEY }}

License

MIT β€” use this starter for anything.

Security powered by Precogs AI

About

πŸ›‘οΈ Production-ready Next.js 15 starter with 7 security headers, CI/CD vulnerability scanning, and hardened defaults. Ship secure apps from day one.

Topics

security nextjs starter-template security-headers vercel

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages