Back to examples
Security & performance
Guardrails for apps that talk to Nest — cookies, CORS, and what stays off the client.
Week 3 · security
Security
- Session JWT in httpOnly cookie — not
localStorage - Axios
withCredentials: true+ Nest CORS allowlist - Never trust the client — Nest DTOs validate again
- Don’t render user HTML with
dangerouslySetInnerHTML - Secrets stay server-side — no
NEXT_PUBLIC_for private keys
Performance
- Push client components to the leaves; keep shells on the server
- TanStack Query
staleTimeto avoid refetch storms - Paginate Nest lists — never dump the table
- Fix request waterfalls; measure with Network + Profiler
// ❌ localStorage.setItem('token', jwt)
// ✅ res.cookie('access_token', jwt, { httpOnly: true, sameSite: 'lax' })Practice cookie sessions on /login, then wire the same pattern into Week 4 Notes projects.