Fullstack CourseLearn by building
Back to examples

Security & performance

Guardrails for apps that talk to Nest — cookies, CORS, and what stays off the client.

Week 3 · security

Security

  • Session JWT in httpOnly cookie — not localStorage
  • Axios withCredentials: true + Nest CORS allowlist
  • Never trust the client — Nest DTOs validate again
  • Don’t render user HTML with dangerouslySetInnerHTML
  • Secrets stay server-side — no NEXT_PUBLIC_ for private keys

Performance

  • Push client components to the leaves; keep shells on the server
  • TanStack Query staleTime to avoid refetch storms
  • Paginate Nest lists — never dump the table
  • Fix request waterfalls; measure with Network + Profiler
// ❌ localStorage.setItem('token', jwt)
// ✅ res.cookie('access_token', jwt, { httpOnly: true, sameSite: 'lax' })

Practice cookie sessions on /login, then wire the same pattern into Week 4 Notes projects.