XSS Protection
DOMPurify sanitization on all inputs. CSP headers via proxy.ts. No raw strings in the DOM.
Production-ready · Security-first · Zero config
Build faster.Ship smarter.
NextForge is a battle-hardened Next.js scaffold — auth, database clients, reusable components, and full XSS/SQLi/CSRF protection wired up before you write a single line of business logic.
// features
Everything wired up
Stop configuring, start building. Every critical system is production-ready before you touch business logic.
Auth ready
NextAuth v5 with Credentials + Google. JWT sessions, email verification, password reset — all wired.
3 DB clients
MongoDB (Mongoose), PostgreSQL (node-pg), Supabase, and Firebase — each with connection pooling and safe query patterns.
Rate limiting
Upstash Redis sliding window on all auth routes. Graceful no-op fallback when Redis is unavailable.
Resend emails
OTP delivery for email verification and password reset. Inline-styled HTML templates, spam-filter safe.
Reusable UI
Button, Input, Loader, Toast, Modal, Navbar, Footer — themed via CSS variables, no hardcoded colors.
Server actions
All mutations use Next.js server actions with useTransition — buttons auto-disabled during pending state.
Mobile-first
Every component built base → sm → md → lg. No layout surprises on any screen size.
// how it works
Zero to production in 5 steps
Clone. Enter your folder. Choose your database. Install. Ship.
Clone the repo
git clone https://github.com/Talhaahmad9/nextforge.git my-project
Get the full scaffold with all auth flows, security layers, and UI components already wired.
Enter the project folder
cd my-project
Move into your new project directory so setup and install commands target the right workspace.
Choose your database
node setup.mjs
Interactive CLI — pick MongoDB, Supabase, or Firebase. The script copies the right files, strips unused dependencies, and generates your .env.local.example. Deletes itself when done.
MongoDB + MongooseSupabase + PostgreSQLFirebase + Firestore
$ node setup.mjs
┌──────────────────────────────────────────┐
│ NextForge — Database Setup │
└──────────────────────────────────────────┘
Which database backend do you want to use?
1) MongoDB (Mongoose)
2) Supabase (PostgreSQL)
3) Firebase (Firestore)
Enter 1, 2, or 3:
Configure & install
npm install
cp .env.local.example .env.local
Fill in AUTH_SECRET, your DB credentials, Resend API key, and Upstash Redis. Every variable is documented in .env.local.example.
Start building
npm run dev
Auth works. Email flows work. Security is on. Your job is business logic — nothing else.
Ship it.
// what's included
Everything you don't have to build again
Login flows. Email verification. Password reset. Rate limiting. Input validation. Security protections. It's already done.
core framework
Next.js 16TypeScriptTailwind CSS v4App RouterTurbopackReact 19
Authentication
·NextAuth v5·Credentials provider·Google OAuth·JWT sessions·Email verification·Password reset
Database clients
·MongoDB + Mongoose·Supabase + PostgreSQL·Firebase + Firestore·Connection pooling·Safe query patterns·setup.mjs chooser
Pick one — the rest is stripped clean
·Resend API·OTP delivery·HTML email templates·Inline CSS (spam-safe)·Verification flow·Reset flow
Security
·Zod validation·XSS sanitization·NoSQLi operator stripping·CSRF tokens·Upstash rate limiting·CSP + HSTS headers
UI components
·Button (5 variants)·Input + error states·Loader (3 variants)·Toast system·Modal + focus trap·Navbar + Footer
Dev experience
·TypeScript throughout·Server actions·useTransition patterns·Mobile-first CSS·CSS variable theming·proxy.ts route guards
full stack
| Category | Technology |
|---|---|
| Framework | Next.js 16 |
| Auth | NextAuth v5 |
| Database | MongoDB + Mongoose · Supabase · Firebase (pick one) |
| Resend | |
| Rate Limiting | Upstash Redis |
| Validation | Zod |
| Styling | Tailwind CSS v4 |
| Icons | Lucide React |
| Passwords | bcryptjs (cost 12) |
| Language | TypeScript (strict) |
// security
Security is not optional
It's the default. Every layer hardened before you write a single line of business logic.
Defense in depth
NextForge applies security at every tier. proxy.ts handles route protection and security headers. Server actions re-validate sessions independently - never trust proxy.ts alone. Zod schemas block malformed data before it reaches the database. OTPs are hashed with SHA-256 and verified with timing-safe comparison. Passwords use bcrypt at cost factor 12.
bcrypt cost 12CSPRNG OTPstiming-safe compareSHA-256 hashed OTPs0 plaintext secrets
OTP expiry checked at query time - not just on creation
XSS prevention
escapeHTML() applied to all user-supplied string inputs server-side. CSP headers block unauthorized script execution.
Auth re-verification
Session checked in proxy.ts AND independently inside every server action. A compromised middleware never bypasses action-level guards.
NoSQL injection guard
stripMongoOperators() strips all $-prefixed and dot-notation keys from user input before any MongoDB query. Supabase uses parameterized queries.
OTP security
6-digit OTPs generated via crypto.randomInt (CSPRNG). SHA-256 hash stored - plaintext never persisted. Verified with crypto.timingSafeEqual.
OTP expiry
10-minute expiry checked at query time with $gt: new Date(). TTL index on MongoDB auto-deletes expired documents. Used flag prevents replay.
Security headers
X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, HSTS in production.
Rate limiting
Upstash Redis sliding window - 5 req/min on auth routes, 3 req/min on OTP endpoints. Graceful no-op fallback if Redis is unavailable.
No data leaks
Passwords use select: false on Mongoose queries. Raw errors never reach the client. process.env.NODE_ENV gates dev-only error output. Email enumeration prevented on password reset and OTP resend.
Find it useful?
Star the repo to keep up as NextForge grows - new database variants, components, and improvements land regularly.
MIT licence - free for personal and commercial use
github.com/Talhaahmad9/nextforge