Next.jshard

Next.js App Router auth: how do you keep it secure and SSR-friendly?

Answer

Keep sessions in httpOnly cookies and validate them on the server (Server Components and Route Handlers). Use middleware mainly for routing/redirects, but still enforce auth in server code. Avoid relying only on client checks, and be careful with static rendering when content depends on the user.

Advanced answer

Deep dive

Expanding on the short answer — what usually matters in practice:

Context (tags): nextjs, auth, cookies, security
Lifecycle: what happens at runtime (render/build, request/response, background jobs).
Caching: where cache lives, cache keys, how to invalidate without chaos.
Security: authn/authz, secrets, attack surface (SSRF/CSRF).
Explain the "why", not just the "what" (intuition + consequences).
Trade-offs: what you gain/lose (time, memory, complexity, risk).
Edge cases: empty inputs, large inputs, invalid inputs, concurrency.

Examples

A tiny example (an explanation template):

// Example: discuss trade-offs for "next.js-app-router-auth:-how-do-you-keep-it-secu"
function explain() {
  // Start from the core idea:
  // Keep sessions in httpOnly cookies and validate them on the server (Server Components and R
}

Common pitfalls

Too generic: no concrete trade-offs or examples.
Mixing average-case and worst-case (e.g., complexity).
Ignoring constraints: memory, concurrency, network/disk costs.

Interview follow-ups

When would you choose an alternative and why?
What production issues show up and how do you diagnose them?
How would you test edge cases?