phase-7-seo-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePhase 7: SEO/Security
第7阶段:SEO/安全
Search optimization and security enhancement
搜索优化与安全性增强
Purpose
目标
Make the application discoverable through search and defend against security vulnerabilities.
提升应用的搜索引擎可发现性,同时防御安全漏洞。
What to Do in This Phase
本阶段需完成的工作
- SEO Optimization: Meta tags, structured data, sitemap
- Performance Optimization: Core Web Vitals improvement
- Security Enhancement: Authentication, authorization, vulnerability defense
- SEO优化:元标签、结构化数据、站点地图
- 性能优化:核心Web指标提升
- 安全性增强:身份验证、授权、漏洞防御
Deliverables
交付物
docs/02-design/
├── seo-spec.md # SEO specification
└── security-spec.md # Security specification
src/
├── middleware/ # Security middleware
└── components/
└── seo/ # SEO componentsdocs/02-design/
├── seo-spec.md # SEO规范文档
└── security-spec.md # 安全规范文档
src/
├── middleware/ # 安全中间件
└── components/
└── seo/ # SEO组件PDCA Application
PDCA循环应用
- Plan: Define SEO/security requirements
- Design: Meta tags, security policy design
- Do: SEO/security implementation
- Check: Inspection and verification
- Act: Improve and proceed to Phase 8
- 计划:定义SEO/安全需求
- 设计:元标签、安全策略设计
- 执行:SEO/安全方案落地
- 检查:检查与验证
- 处理:优化后进入第8阶段
Level-wise Application
分级别应用
| Level | Application Method |
|---|---|
| Starter | SEO only (minimal security) |
| Dynamic | SEO + basic security |
| Enterprise | SEO + advanced security |
| 级别 | 应用方式 |
|---|---|
| Starter(入门级) | 仅实现SEO(基础安全防护) |
| Dynamic(动态级) | SEO + 基础安全防护 |
| Enterprise(企业级) | SEO + 高级安全防护 |
SEO Checklist
SEO检查清单
Basic
基础项
- Per-page title, description
- Open Graph meta tags
- Canonical URL
- sitemap.xml
- robots.txt
- 页面专属标题、描述
- Open Graph元标签
- 规范URL(Canonical URL)
- sitemap.xml
- robots.txt
Structured Data
结构化数据
- JSON-LD schema
- Breadcrumb
- Product/Review schema (if applicable)
- JSON-LD schema
- 面包屑导航
- 产品/评论schema(如适用)
Performance
性能优化
- Image optimization (next/image)
- Font optimization
- Code splitting
- 图片优化(使用next/image)
- 字体优化
- 代码分割
Security Checklist
安全检查清单
Authentication/Authorization
身份验证/授权
- Secure session management
- CSRF protection
- Proper permission checks
- 安全会话管理
- CSRF防护
- 合理的权限校验
Data Protection
数据保护
- Input validation
- SQL injection defense
- XSS defense
- 输入验证
- SQL注入防御
- XSS防御
Communication Security
通信安全
- HTTPS enforcement
- Security header configuration
- CORS policy
- 强制HTTPS
- 安全头配置
- CORS策略
Security Architecture (Cross-Phase Connection)
安全架构(跨阶段关联)
Security Layer Structure
安全层级结构
┌─────────────────────────────────────────────────────────────┐
│ Client (Browser) │
├─────────────────────────────────────────────────────────────┤
│ Phase 6: UI Security │
│ - XSS defense (input escaping) │
│ - CSRF token inclusion │
│ - No sensitive info storage on client │
├─────────────────────────────────────────────────────────────┤
│ Phase 4/6: API Communication Security │
│ - HTTPS enforcement │
│ - Authorization header (Bearer Token) │
│ - Content-Type validation │
├─────────────────────────────────────────────────────────────┤
│ Phase 4: API Server Security │
│ - Input validation │
│ - Rate Limiting │
│ - Minimal error messages (prevent sensitive info exposure) │
├─────────────────────────────────────────────────────────────┤
│ Phase 2/9: Environment Variable Security │
│ - Secrets management │
│ - Environment separation │
│ - Client-exposed variable distinction │
└─────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────┐
│ 客户端(浏览器) │
├─────────────────────────────────────────────────────────────┤
│ 第6阶段:UI安全 │
│ - XSS防御(输入转义) │
│ - 包含CSRF Token │
│ - 客户端不存储敏感信息 │
├─────────────────────────────────────────────────────────────┤
│ 第4/6阶段:API通信安全 │
│ - 强制HTTPS │
│ - 授权头(Bearer Token) │
│ - Content-Type验证 │
├─────────────────────────────────────────────────────────────┤
│ 第4阶段:API服务器安全 │
│ - 输入验证 │
│ - 速率限制 │
│ - 最小化错误信息(防止敏感信息泄露) │
├─────────────────────────────────────────────────────────────┤
│ 第2/9阶段:环境变量安全 │
│ - 密钥管理 │
│ - 环境隔离 │
│ - 区分客户端可暴露的变量 │
└─────────────────────────────────────────────────────────────┘Security Responsibilities by Phase
各阶段安全职责
| Phase | Security Responsibility | Verification Items |
|---|---|---|
| Phase 2 | Environment variable convention | NEXT_PUBLIC_* distinction, Secrets list |
| Phase 4 | API security design | Auth method, error codes, input validation |
| Phase 6 | Client security | XSS defense, token management, sensitive info |
| Phase 7 | Security implementation/inspection | Full security checklist |
| Phase 9 | Deployment security | Secrets injection, HTTPS, security headers |
| 阶段 | 安全职责 | 验证项 |
|---|---|---|
| 第2阶段 | 环境变量规范 | NEXT_PUBLIC_* 区分、密钥清单 |
| 第4阶段 | API安全设计 | 认证方式、错误码、输入验证 |
| 第6阶段 | 客户端安全 | XSS防御、Token管理、敏感信息 |
| 第7阶段 | 安全方案落地/检查 | 完整安全检查清单 |
| 第9阶段 | 部署安全 | 密钥注入、HTTPS、安全头 |
Client Security (Phase 6 Connection)
客户端安全(关联第6阶段)
XSS Defense Principles
XSS防御原则
⚠️ XSS (Cross-Site Scripting) Defense
1. Never use innerHTML directly
2. Always sanitize user input when rendering as HTML
3. Leverage React's automatic escaping
4. Use DOMPurify library when needed⚠️ XSS(跨站脚本攻击)防御
1. 切勿直接使用innerHTML
2. 渲染HTML时务必净化用户输入
3. 利用React的自动转义机制
4. 必要时使用DOMPurify库No Sensitive Information Storage
禁止存储敏感信息
typescript
// ❌ Forbidden: Sensitive info in localStorage
localStorage.setItem('password', password);
localStorage.setItem('creditCard', cardNumber);
// ✅ Allowed: Store only tokens (httpOnly cookies recommended)
localStorage.setItem('auth_token', token);
// ✅ More secure: httpOnly cookie (set by server)
// Set-Cookie: token=xxx; HttpOnly; Secure; SameSite=Stricttypescript
// ❌ 禁止:在localStorage中存储敏感信息
localStorage.setItem('password', password);
localStorage.setItem('creditCard', cardNumber);
// ✅ 允许:仅存储Token(推荐使用httpOnly Cookie)
localStorage.setItem('auth_token', token);
// ✅ 更安全:httpOnly Cookie(由服务器设置)
// Set-Cookie: token=xxx; HttpOnly; Secure; SameSite=StrictCSRF Defense
CSRF防御
typescript
// Include CSRF token in API client
// lib/api/client.ts
private async request<T>(endpoint: string, config: RequestConfig = {}) {
const headers = new Headers(config.headers);
// Add CSRF token
const csrfToken = this.getCsrfToken();
if (csrfToken) {
headers.set('X-CSRF-Token', csrfToken);
}
// ...
}typescript
// 在API客户端中包含CSRF Token
// lib/api/client.ts
private async request<T>(endpoint: string, config: RequestConfig = {}) {
const headers = new Headers(config.headers);
// 添加CSRF Token
const csrfToken = this.getCsrfToken();
if (csrfToken) {
headers.set('X-CSRF-Token', csrfToken);
}
// ...
}API Security (Phase 4 Connection)
API安全(关联第4阶段)
Input Validation (Server-side)
服务端输入验证
typescript
// All input must be validated on the server
import { z } from 'zod';
const CreateUserSchema = z.object({
email: z.string().email(),
password: z.string().min(8).max(100),
name: z.string().min(1).max(50),
});
// Usage in API Route
export async function POST(req: Request) {
const body = await req.json();
const result = CreateUserSchema.safeParse(body);
if (!result.success) {
return Response.json({
error: {
code: 'VALIDATION_ERROR',
message: 'Input is invalid.',
details: result.error.flatten().fieldErrors,
}
}, { status: 400 });
}
const { email, password, name } = result.data;
}typescript
// 所有输入必须在服务端验证
import { z } from 'zod';
const CreateUserSchema = z.object({
email: z.string().email(),
password: z.string().min(8).max(100),
name: z.string().min(1).max(50),
});
// 在API路由中使用
export async function POST(req: Request) {
const body = await req.json();
const result = CreateUserSchema.safeParse(body);
if (!result.success) {
return Response.json({
error: {
code: 'VALIDATION_ERROR',
message: '输入内容无效。',
details: result.error.flatten().fieldErrors,
}
}, { status: 400 });
}
const { email, password, name } = result.data;
}Error Message Security
错误信息安全
typescript
// ❌ Dangerous: Detailed error info exposure
{
message: 'User with email test@test.com not found',
stack: error.stack, // Stack trace exposed!
}
// ✅ Safe: Minimal information only
{
code: 'NOT_FOUND',
message: 'User not found.',
}
// Detailed logs only on server
console.error(`User not found: ${email}`, error);typescript
// ❌ 危险:暴露详细错误信息
{
message: '未找到邮箱为test@test.com的用户',
stack: error.stack, // 栈追踪信息泄露!
}
// ✅ 安全:仅返回最小化信息
{
code: 'NOT_FOUND',
message: '未找到用户。',
}
// 详细日志仅在服务端记录
console.error(`未找到用户: ${email}`, error);Rate Limiting
速率限制
typescript
// middleware.ts
import { Ratelimit } from '@upstash/ratelimit';
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(10, '10 s'),
});
export async function middleware(request: NextRequest) {
const ip = request.ip ?? '127.0.0.1';
const { success } = await ratelimit.limit(ip);
if (!success) {
return new Response('Too Many Requests', { status: 429 });
}
}typescript
// middleware.ts
import { Ratelimit } from '@upstash/ratelimit';
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(10, '10 s'),
});
export async function middleware(request: NextRequest) {
const ip = request.ip ?? '127.0.0.1';
const { success } = await ratelimit.limit(ip);
if (!success) {
return new Response('请求过于频繁', { status: 429 });
}
}Environment Variable Security (Phase 2/9 Connection)
环境变量安全(关联第2/9阶段)
Client Exposure Check
客户端暴露检查
typescript
// lib/env.ts
const serverEnvSchema = z.object({
DATABASE_URL: z.string(), // Server only
AUTH_SECRET: z.string(), // Server only
});
const clientEnvSchema = z.object({
NEXT_PUBLIC_APP_URL: z.string(), // Can be exposed to client
});
export const serverEnv = serverEnvSchema.parse(process.env);
export const clientEnv = clientEnvSchema.parse({
NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
});typescript
// lib/env.ts
const serverEnvSchema = z.object({
DATABASE_URL: z.string(), // 仅服务端可用
AUTH_SECRET: z.string(), // 仅服务端可用
});
const clientEnvSchema = z.object({
NEXT_PUBLIC_APP_URL: z.string(), // 可暴露给客户端
});
export const serverEnv = serverEnvSchema.parse(process.env);
export const clientEnv = clientEnvSchema.parse({
NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
});Security Header Configuration
安全头配置
javascript
// next.config.js
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
];
module.exports = {
async headers() {
return [{ source: '/:path*', headers: securityHeaders }];
},
};javascript
// next.config.js
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=63072000' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
];
module.exports = {
async headers() {
return [{ source: '/:path*', headers: securityHeaders }];
},
};Security Verification Checklist (Phase 8 Connection)
安全验证清单(关联第8阶段)
Required (All Levels)
必选项(所有级别)
- HTTPS enforcement
- No sensitive info exposed to client
- Input validation (server-side)
- XSS defense
- No sensitive info in error messages
- 强制HTTPS
- 无敏感信息暴露给客户端
- 服务端输入验证
- XSS防御
- 错误信息中无敏感内容
Recommended (Dynamic and above)
推荐项(动态级及以上)
- CSRF token applied
- Rate Limiting applied
- Security headers configured
- httpOnly cookies (auth token)
- 已应用CSRF Token
- 已配置速率限制
- 已配置安全头
- 使用httpOnly Cookie存储认证Token
Advanced (Enterprise)
高级项(企业级)
- Content Security Policy (CSP)
- Security audit logs
- Regular security scans
- 内容安全策略(CSP)
- 安全审计日志
- 定期安全扫描
Next.js SEO Example
Next.js SEO示例
tsx
// app/layout.tsx
export const metadata: Metadata = {
title: {
default: 'Site Name',
template: '%s | Site Name',
},
description: 'Site description',
openGraph: {
type: 'website',
locale: 'en_US',
url: 'https://example.com',
siteName: 'Site Name',
},
};tsx
// app/layout.tsx
export const metadata: Metadata = {
title: {
default: '站点名称',
template: '%s | 站点名称',
},
description: '站点描述',
openGraph: {
type: 'website',
locale: 'en_US',
url: 'https://example.com',
siteName: '站点名称',
},
};Template
模板
See
templates/pipeline/phase-7-seo-security.template.md请查看
templates/pipeline/phase-7-seo-security.template.mdNext Phase
下一阶段
Phase 8: Review → After optimization, verify overall code quality
第8阶段:评审 → 优化完成后,验证整体代码质量