Nextjs Security

Role Based Access Control

• Next Auth

Context

• Platform Engineering
• Dev Environment

App Router

Role-based Authentication in NextJs 13 using NextAuth.

RBAC with Clerk

• Organisations

Cookies

Using cookies in Nextjs.

Server

• Protected Routes
• Middleware

Questions

What security layer catches the threat that authentication misses?

• When does RBAC break down and require attribute-based access control?
• How do you secure server actions that bypass middleware entirely?
• What cookie strategy survives a cross-site request forgery attack?
• Where does Clerk's organization model map to your own permission boundaries?