Authentication & Token Management
Priority: P0 (CRITICAL)
Use HttpOnly Cookies for token storage. Never use LocalStorage.
Key Rules
- •Storage: Use
cookies().set()withhttpOnly: true,secure: true,sameSite: 'lax'. (Reference: Setting Tokens) - •Access: Read tokens in Server Components via
cookies().get(). (Reference: Reading Tokens) - •Protection: Guard routes in
middleware.tsbefore rendering. (Reference: Middleware Protection)
Anti-Pattern: LocalStorage
- •Security Risk: Vulnerable to XSS.
- •Performance Hit: Incompatible with Server Components (RSC). Forces client hydration and causes layout shift.
Related Topics
common/security-standards | server-components | app-router