Next.js × Supabase アプリ層セキュリティ（脆弱性の検出・多層防御・RLS/認可の検証）実装ガイド

Why does code written by generative AI (Copilot/Claude, etc.) have more vulnerabilities? Drawing on research data from Stanford and NYU and 'slopsquatting,' it explains the risks specific to AI-generated code and a practical procedure to crush them in four layers (SCA/secrets/SAST/DAST) before release, with real code. It also shows the safety AI cannot in principle create (authorization, business logic) and the design of human verification gates.

Next.js App Router's Server Actions have a degree of CSRF resistance via POST-only + Origin/Host match check + encrypted action IDs. But it's not enough. It honestly explains Origin verification, SameSite cookies, and Route Handler protection — what's automatically protected and what to add — faithful to the scope the official docs show.

Environment variables with the NEXT_PUBLIC_ prefix are baked into the client bundle at build time and published. We systematically explain — in Next.js vulnerable→fixed real code — the server-only boundary that prevents secret-key mixing accidents, typed env validation with Zod, and secret-scan implementation.

Passing user input straight to redirect() or callbackUrl lets a trusted own domain be the starting point to lure to an attacker site, leading to phishing or token theft right after authentication. It explains how to fall to the safe side with relative-path enforcement, a host allowlist, and verification with new URL, with vulnerable→fixed code of Next.js's auth flow, and bypass countermeasures like //evil and backslash.

How to introduce security headers like CSP, HSTS, X-Content-Type-Options, Referrer-Policy, and frame-ancestors all at once with one Next.js App Router middleware. It explains in real code why a hand-written nonce-style CSP breaks and how to automate it, and honestly shows the limit that CSP is a complement to XSS countermeasures, not a substitute for output design.

Because Vercel/Lambda instances are disposable and run concurrently, in-process-memory rate limiting passes straight through. We explain — in real Next.js code (middleware/route handler) — a design that implements an atomic sliding window with a distributed store like Upstash Redis.

When the server fetches a user-input URL, SSRF can reach cloud metadata (169.254.169.254) or internal services. It explains, with vulnerable→fixed code of the Next.js App Router, a scheme/host allowlist, blocking private IPs, prohibiting redirect-following, and taint detection of tainted-input→fetch-sink.

An honest explanation of what a security audit for a Next.js × Supabase app actually inspects. We map out the boundary between the 'horizontal controls' that automated tools (SAST/DAST/SCA) can close and the 'vertical risks' that only an audit can close (authorization/IDOR, RLS design, tenant isolation, business logic), when an audit becomes necessary, and the 3-stage approach with pricing (from ¥98,000).

A design that incorporates security inspection into CI and stops the build only on high-confidence detections. It explains, with actual YAML and commands, running SAST in GitHub Actions, code-scanning integration via SARIF, and operation that doesn't break CI with false positives (block only the confirmed via static×dynamic correlation).

React escapes JSX by default, but it slips out via dangerouslySetInnerHTML, href=javascript:, DOM manipulation through ref, and DOM sinks. It explains, with vulnerable→fixed real code, where XSS/DOM-XSS occurs, output-time sanitization with DOMPurify, and the defense-in-depth of CSP (nonce) / Trusted Types.

Supabase's anon key is meant to be public, but the major premise is that RLS is taking effect. The service_role key completely ignores RLS with the BYPASSRLS privilege, and if leaked, all data is exposed. We explain the design of key placement, the server boundary, and ownership checks in real Next.js App Router code.

Explains how to prove, by verification, that 'isolation isn't broken' for the cross-tenant leak where another tenant's data is visible in a multi-tenant SaaS — not just designing RLS. Shows the practice of raising confidence with pgTAP-style regression tests, ownership checks, safe dynamic probing (DAST), and SAST correlation, with vulnerable→verified real code.

Supabase makes plain SQL injection unlikely with PostgREST and parameterized queries. But dynamic SQL inside functions (EXECUTE and string concatenation), misuse of format()'s %s, raw SQL, and the assembly of search filters become injection routes. This explains, with vulnerable→fixed real SQL/TS, how to make it safe with EXECUTE USING parameterization, format()'s %I/%L, quote_ident/literal, and allowlist verification.

Supabase RLS opens holes by 'thinking you enabled it.' A practical guide to surfacing and plugging the dangerous patterns — RLS not enabled, missing WITH CHECK, USING(true), over-granted anon, and SECURITY DEFINER without a fixed search_path — with static verification of supabase/migrations/**.sql.

公開GitHubのSupabaseアプリ1,000件・116,662件のRLSポリシを静的スキャンした一次調査。RLSを持つ994件の9.2%が『認証はするが行を所有者に絞らない』ポリシを持っていた（下限値）。看板ルールはこの2倍規模でも precision 1.0 を維持し、走査自体が姉妹ルールの誤検知を炙り出して0に。auth.role()='authenticated'の落とし穴と自分のアプリの測り方まで、実データで解説します。

Organizing the easily-confused difference between USING (the read filter) and WITH CHECK (the write filter) in Supabase RLS, this explains, with vulnerable→fixed SQL for INSERT/UPDATE/ALL, the 'write bypass' where a write policy lacking WITH CHECK lets an authenticated user create rows with someone else's user_id or another tenant's id.

Because a SECURITY DEFINER function runs with the definer's privileges, if you don't fix the search_path an attacker can inject a same-named object into a temporary schema or public, bypass RLS, and escalate privileges. This article explains the safe way to write them — set search_path = '', schema-qualify, and minimize GRANT — and how to detect the flaw in migrations/pg_proc, with real SQL.

An honest explanation, from the buyer's perspective, of the cost and market rate of web-app vulnerability assessment. Price bands by method (automated / manual / hybrid / penetration), guides by target (web, API, mobile, platform), the seven cost drivers that move an estimate, the trap of 'all-inclusive' estimates, the legitimate way to keep it cheap, and how to spot an assessment that's too cheap — summarized together with my own transparent pricing.

A hands-on for practicing web-app vulnerability assessment from 'the range you can do yourself.' Faithful to the official methods of OWASP Top 10:2025・WSTG v4.2・ASVS 5.0, it explains SCA・SAST(Semgrep)・secret scanning・DAST(ZAP)・CI/SARIF integration with real code, and honestly shows the limits of automation (authorization/IDOR・business logic) and the boundary where a professional audit is needed.

A comparison guide for correctly choosing web-app vulnerability-scanning tools by type (SAST/DAST/SCA/secrets) and role. The difference between free ZAP (Apache-2.0) and the $475/year Burp Suite Professional, SAST like Semgrep, dependency assessment with npm audit/Dependabot, Japanese SaaS-type tools (AeyeScan/VAddy/Securify), and commercial integrated DAST — with a selection flow by scale/budget/setup, and honestly showing the area tools can't close.

Explains how AI-mass-produced Next.js × Supabase apps expose other people's data via OWASP API1:2023 BOLA (IDOR), centered on CVE-2025-48757 and RLS bypass by the service_role key. It shows, with vulnerable→fixed real code, why a WAF or security headers can't prevent it, and how to systematically find and fix it with three layers: taint analysis, RLS verification, and runtime confirmation.