Testing Checklist
WSTG-CONF - Configuration and Deploy Management Testing
WSTG-CONF-01 Test Network Infrastructure Configuration
WSTG-CONF-02 Test Application Platform Configuration
WSTG-CONF-03 Test File Extensions Handling for Sensitive Information
WSTG-CONF-04 Review Old Backup and Unreferenced Files for Sensitive Information
WSTG-CONF-05 Enumerate Infrastructure and Application Admin Interfaces
WSTG-CONF-06 Test HTTP Methods
WSTG-CONF-07 Test HTTP Strict Transport Security
WSTG-CONF-08 Test RIA Cross Domain Policy
WSTG-CONF-09 Test File Permission
WSTG-CONF-10 Test for Subdomain Takeover
WSTG-CONF-11 Test Cloud Storage
WSTG-CONF-12 Testing for Content Security Policy
Configure your Next.js 14 application following OWASP WSTG-CONF security best practices:
1. Configuration Management
Create a solid configuration structure for your Next.js 14 app:
// next.config.js const nextConfig = { // Prevent exposing environment variables to the browser // Only variables prefixed with NEXT_PUBLIC_ will be available client-side env: { // Server-only variables that won't be exposed to the client API_SECRET: process.env.API_SECRET, }, // Enable strict mode for React components reactStrictMode: true, // Implement Content Security Policy headers headers: async () => { return [ { source: '/:path*', headers: [ { key: 'Content-Security-Policy', value: "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:;" }, { key: 'X-Content-Type-Options', value: 'nosniff', }, { key: 'X-Frame-Options', value: 'DENY', }, { key: 'X-XSS-Protection', value: '1; mode=block', }, ], }, ]; }, } module.exports = nextConfig;2. Environment Variables Management
Create
.envfiles but never commit them to version control:# .env.local (don't commit this file) DATABASE_URL=your_db_connection_string API_SECRET=your_api_secret # Client-side variables (will be exposed) NEXT_PUBLIC_API_URL=https://api.yourdomain.comAdd
.env*.localto your.gitignorefile:# .gitignore .env*.local3. HTTP Methods and Headers Configuration
For API routes, implement proper method handling:
// pages/api/example.js export default function handler(req, res) { // Allow only specific HTTP methods if (req.method !== 'POST' && req.method !== 'GET') { return res.status(405).json({ error: 'Method not allowed' }); } // Handle the request based on the method if (req.method === 'POST') { // Process POST request } else { // Process GET request } }4. File Extension and Asset Handling
Configure your Next.js app to handle assets securely:
// next.config.js module.exports = { // ...other config // Control which file types can be imported images: { domains: ['trusted-domain.com'], formats: ['image/webp', 'image/png', 'image/jpeg'], }, // Configure redirects to avoid exposing sensitive endpoints async redirects() { return [ { source: '/admin', destination: '/api/auth/signin', permanent: false, }, ]; }, }5. Authentication Configuration (prevent default credentials)
If using NextAuth.js:
// pages/api/auth/[...nextauth].js import NextAuth from 'next-auth'; import CredentialsProvider from 'next-auth/providers/credentials'; export default NextAuth({ providers: [ CredentialsProvider({ // Custom authentication logic async authorize(credentials) { // Implement proper auth, never hardcode credentials // ...authentication code } }), ], // Set secure cookies in production cookies: { sessionToken: { name: `__Secure-next-auth.session-token`, options: { httpOnly: true, sameSite: 'lax', path: '/', secure: process.env.NODE_ENV === 'production', }, }, }, // Configure sessions session: { strategy: 'jwt', maxAge: 30 * 24 * 60 * 60, // 30 days }, // Implement callbacks for additional security checks callbacks: { async jwt({ token, user }) { // Add custom claims return token; }, }, });6. Deployment Configuration
Create a secure deployment setup:
// middleware.ts import { NextResponse } from 'next/server'; import type { NextRequest } from 'next/server'; export function middleware(request: NextRequest) { // Add security headers to all responses const response = NextResponse.next(); // Set secure headers response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload'); response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); return response; } export const config = { matcher: '/((?!_next/static|_next/image|favicon.ico).*)', };7. Preventing Backup Files and Information Leakage
Add these patterns to your
.gitignore:# .gitignore # Dependencies /node_modules # Next.js build output /.next/ /out/ # Environment variables .env*.local # Debug logs npm-debug.log* yarn-debug.log* yarn-error.log* # Editor files .vscode/ .idea/ # Backup files *.bak *.tmp *.swp8. Additional Security Considerations
Use a rate limiter for API routes to prevent abuse
Implement proper CSRF protection
Configure proper CORS settings for your API routes
Use SRI (Subresource Integrity) for external scripts
Regularly update dependencies with
npm audit fix