NextForgeDocs
Home

Introduction

NextForge is a production-ready, security-hardened Next.js 16 scaffold. Clone it, pick your database, and start building - auth, security, and core infrastructure are already wired.

What is NextForge?

NextForge is not just a file structure. It's a complete starting system - registration, login, email verification, password reset, database connection, input validation, XSS protection, injection prevention, rate limiting, and security headers, all configured and working before you write a line of business logic.

The scaffold ships as a standard Next.js 16 project using the App Router, TypeScript, and Tailwind CSS v4. After running the one-time setup script, no scaffold code remains - just your project.

Who it's for

NextForge is built for:

  • Developers tired of rebuilding auth and security from scratch on every project
  • Indie hackers shipping SaaS products quickly without cutting corners on security
  • Agencies who handle multiple client backends and want a consistent, hardened starting point
  • Anyone who wants secure defaults without spending days on configuration

Why it exists

Most starters give you a folder structure. NextForge gives you a production-ready backend system.

OTPs are hashed with SHA-256 - plaintext is never stored. Passwords use bcrypt at cost factor 12. Timing-safe comparison prevents side-channel attacks on OTP verification. MongoDB inputs are sanitized against operator injection. Supabase uses parameterized queries. Rate limits are separated for auth and OTP endpoints.

What you get

  • Complete authentication - email/password + Google OAuth via NextAuth v5
  • Three database options - MongoDB, Supabase, Firebase - chosen vianode setup.mjs
  • Full OTP flows - email verification and password reset
  • Input validation via Zod on every server action
  • XSS protection via escapeHTML() on all user string inputs
  • NoSQL injection prevention via stripMongoOperators()
  • Rate limiting via Upstash Redis with graceful fallback
  • Security headers on every response via proxy.ts
  • Reusable UI - Button, Input, Loader, Toast, Modal, Navbar, Footer
  • Mobile-first Tailwind CSS v4 with CSS variable theming
terminal
git clone https://github.com/Talhaahmad9/nextforge.git my-project
cd my-project
node setup.mjs
npm install
npm run dev

Philosophy

Secure by default

NextForge makes one key assumption: security requirements are not optional extras - they're the starting line. Every new project deserves the same hardened foundation regardless of how fast you're moving.

Product over boilerplate

The scaffold is intentionally un-opinionated about business logic. It handles the infrastructure layer so you own the product layer from day one.

Next

Quick start