v0.0.4
Security hardening release for the Next.js application template.
v0.0.4
v0.0.4 hardens runtime security defaults, auth redirects, protected action boundaries, account session management, and workspace invitation privacy.
Highlights
- Added application-wide security headers for framing, content type, referrer, permissions, CSP, and production HSTS.
- Replaced placeholder base URL handling with normalized
NEXT_PUBLIC_APP_BASE_URLandBETTER_AUTH_URLconfiguration. - Hardened auth redirects against external and traversal-based targets.
- Stopped trusting forwarded user-id headers inside protected server actions.
- Removed raw Better Auth session tokens from client-facing session data.
- Hid workspace invitation metadata when the signed-in user is not the invited recipient.
- Added database protection against duplicate pending invitations.
- Validated workspace slug uniqueness across all organizations.
What changed for template users
Production deployments now fail fast when the public app base URL is missing. Auth redirect targets are constrained to safe in-app paths. Account security pages show safe session metadata without raw bearer-like session tokens.
Workspace invitation pages protect recipient privacy, and accepting an invitation sets the accepted workspace as the active organization.
Upgrade notes
- Replace
PUBLIC_BASE_URLwithNEXT_PUBLIC_APP_BASE_URLin all environments. - Production deployments must configure
NEXT_PUBLIC_APP_BASE_URL. - A Prisma migration is required for the invitation duplicate-protection index.
- Remote images are no longer allowed from arbitrary HTTPS hosts; configure
images.remotePatternsfor domains your app needs. - Workspace name changes no longer regenerate slugs automatically.
Quality
The release adds tests for redirect sanitization, session-token handling, current-session revoke protection, invitation recipient mismatch privacy, accepting invitations, active organization updates, global slug collisions, and session-list data shape.