Building an AI application is exciting, but it has a "dark side" that few mention at the beginning: security.
If you don't prioritize security from day one, you not only risk your users' data, but you also leave your "wallet" open (via API keys) for anyone to consume your tokens and leave you with an astronomical bill.
In this post, we'll break down the 4 pillars to secure your AI architecture using Next.js, Edge Functions, and Supabase.
1. The Frontend is Enemy Territory
The most common mistake is calling OpenAI, Anthropic, or Gemini directly from the client.
The problem: Any user with minimal knowledge can open the browser console (F12), go to the "Network" tab, and see your API key in the headers. Once they have your key, they can use it in their own projects at your expense.
The solution: Move all the logic to the server.
Use Edge Functions or API Routes. Keys should only reside in environment variables (.env) that the client can never read.
Golden rule: If your environment variable starts with
NEXT_PUBLIC_, it's public. Never put an API Key there.
2. Input Validation: Trust No One
"Prompt Injection" is real. An attacker can inject malicious code into your input to try to confuse the model and extract data it shouldn't see.
To prevent this, we must implement a robust validation layer. A simple if statement isn't enough; ideally, use strongly typed tools like Zod to clean the input before it reaches the AI.
``typescript
// Example of validation with Zod in an Edge Function
import { z } from 'zod';
const promptSchema = z.object({
userInput: z.string().min(3).max(500).trim(),
});
export default async function handler(req) {
const body = await req.json();
// Si el input no cumple, cortamos la ejecución aquí
const result = promptSchema.safeParse(body);
if (!result.success) {
return new Response("Input no válido o sospechoso", { status: 400 });
}
// Continuar con la llamada a la IA...
}
3. Delegate Authentication (Don't reinvent the wheel)
Managing passwords, sessions, and encryption yourself is the fastest way to suffer a security breach.
It's best to delegate this to expert services. I use Supabase because:
Easy integration: You don't have to worry about configuring complex user databases.
Native security: It automatically handles JWT tokens.
Access control: You can secure your API routes so that only authenticated users can consume your AI credits.
4. Rate Limiting: Put a stop to abuse
Imagine someone programs a bot to make a million requests per minute to your tool. If you don't have limits, your bank account will suffer the consequences.
You must limit the number of requests (Rate Limit). This way, if someone tries to abuse the system, it automatically blocks them after, for example, 5 requests per minute.
Benefits of Rate Limiting:
You prevent Denial-of-Service (DoS) attacks.
You control your app's operating cost (Burn rate).
You protect service availability for other users.
Top comments (0)