security-hardening-checklist

# Security Hardening Checklist

To perform a comprehensive security audit and generate hardening recommendations, follow these steps systematically.

## Step 1: Project Discovery

Identify the project structure and tech stack:

1. Use Glob to find key files:
   - `package.json` - Dependencies and scripts
   - `next.config.*` - Next.js configuration
   - `middleware.ts` - Middleware setup
   - `app/**/*.{ts,tsx}` - Application routes
   - `.env.example` - Environment variables

2. Identify authentication provider (Supabase, NextAuth, Clerk, etc.)
3. Identify database type (PostgreSQL, MySQL, MongoDB, etc.)
4. Check for security libraries (helmet, rate-limit, etc.)

## Step 2: Security Headers Audit

Check for security headers configuration.

### Check Next.js Config

Use Grep to search for security headers in `next.config.js/ts`:
```
- "X-Frame-Options"
- "X-Content-Type-Options"
- "X-XSS-Protection"
- "Strict-Transport-Security"
- "Content-Security-Policy"
- "Referrer-Policy"
- "Permissions-Policy"
```

### Generate Missing Headers

Consult `references/security-headers.md` and create configuration:

```typescript
// next.config.ts
const securityHeaders = [
  {
    key: 'X-DNS-Prefetch-Control',
    value: 'on'
  },
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload'
  },
  {
    key: 'X-Frame-Options',
    value: 'SAMEORIGIN'
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff'
  },
  {
    key: 'X-XSS-Protection',
    value: '1; mode=block'
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin'
  },
  {
    key: 'Permissions-Policy',
    value: 'camera=(), microphone=(), geolocation=()'
  }
]

const nextConfig = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: securityHeaders,
      },
    ]
  },
}
```

## Step 3: Cookie Security Audit

Check cookie configuration for auth and session management.

### Check for Insecure Cookie Settings

Use Gr