[{"data":1,"prerenderedAt":200},["ShallowReactive",2],{"blog-blueprints/t3-stack":3},{"id":4,"title":5,"body":6,"category":180,"date":181,"dateModified":181,"description":182,"draft":183,"extension":184,"faq":185,"featured":183,"headerVariant":186,"image":185,"keywords":185,"meta":187,"navigation":188,"ogDescription":189,"ogTitle":185,"path":190,"readTime":191,"schemaOrg":192,"schemaType":193,"seo":194,"sitemap":195,"stem":196,"tags":197,"twitterCard":198,"__hash__":199},"blog/blog/blueprints/t3-stack.md","T3 Stack Security Blueprint",{"type":7,"value":8,"toc":169},"minimark",[9,20,23,29,34,49,53,62,66,75,84,88,93,96,99,102,105,108,122,157],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a T3 Stack application,"," you need to: (1) use protectedProcedure for all authenticated tRPC routes, (2) access user data from ctx.session.user (never from client input), (3) validate all inputs with Zod schemas, (4) configure NextAuth secret and callbacks properly, and (5) let Prisma handle SQL injection prevention through parameterized queries. This blueprint covers tRPC middleware patterns with NextAuth integration.",[21,22],"blueprint-meta",{},[24,25,26],"tldr",{},[13,27,28],{},"T3 Stack has excellent security primitives built-in. Use protectedProcedure for authenticated routes, access ctx.session.user for verified user data, let Prisma handle SQL injection prevention, and configure NextAuth callbacks properly for JWT claims.",[30,31,33],"h2",{"id":32},"trpc-context-setup-trpc","tRPC Context Setup tRPC",[35,36,38],"code-block",{"label":37},"src/server/api/trpc.ts",[39,40,45],"pre",{"className":41,"code":43,"language":44},[42],"language-text","import { initTRPC, TRPCError } from '@trpc/server'\nimport { getServerAuthSession } from '@/server/auth'\n\nexport const createTRPCContext = async (opts: { headers: Headers }) => {\n  const session = await getServerAuthSession()\n  return { session, ...opts }\n}\n\nconst t = initTRPC.context\u003Ctypeof createTRPCContext>().create()\n\nexport const publicProcedure = t.procedure\n\nexport const protectedProcedure = t.procedure.use(({ ctx, next }) => {\n  if (!ctx.session || !ctx.session.user) {\n    throw new TRPCError({ code: 'UNAUTHORIZED' })\n  }\n  return next({\n    ctx: {\n      session: { ...ctx.session, user: ctx.session.user },\n    },\n  })\n})\n","text",[46,47,43],"code",{"__ignoreMap":48},"",[30,50,52],{"id":51},"protected-router-trpc-prisma","Protected Router tRPC Prisma",[35,54,56],{"label":55},"src/server/api/routers/post.ts",[39,57,60],{"className":58,"code":59,"language":44},[42],"import { z } from 'zod'\nimport { createTRPCRouter, protectedProcedure } from '@/server/api/trpc'\n\nexport const postRouter = createTRPCRouter({\n  getAll: protectedProcedure.query(async ({ ctx }) => {\n    return ctx.db.post.findMany({\n      where: { authorId: ctx.session.user.id },\n    })\n  }),\n\n  create: protectedProcedure\n    .input(z.object({\n      title: z.string().min(1).max(200),\n      content: z.string().min(1),\n    }))\n    .mutation(async ({ ctx, input }) => {\n      return ctx.db.post.create({\n        data: {\n          title: input.title,\n          content: input.content,\n          authorId: ctx.session.user.id,  // Verified user ID\n        },\n      })\n    }),\n})\n",[46,61,59],{"__ignoreMap":48},[30,63,65],{"id":64},"nextauth-configuration-nextauth","NextAuth Configuration NextAuth",[35,67,69],{"label":68},"src/server/auth.ts",[39,70,73],{"className":71,"code":72,"language":44},[42],"import NextAuth from 'next-auth'\nimport { PrismaAdapter } from '@auth/prisma-adapter'\n\nexport const { auth, handlers, signIn, signOut } = NextAuth({\n  adapter: PrismaAdapter(db),\n  callbacks: {\n    session: ({ session, user }) => ({\n      ...session,\n      user: {\n        ...session.user,\n        id: user.id,\n        role: user.role,  // Include role if needed\n      },\n    }),\n  },\n  providers: [\n    // Your providers\n  ],\n})\n",[46,74,72],{"__ignoreMap":48},[76,77,78],"warning-box",{},[13,79,80,83],{},[16,81,82],{},"Always use protectedProcedure for authenticated routes."," publicProcedure has no auth check. Never access user data directly from the client-use ctx.session.user.",[30,85,87],{"id":86},"security-checklist","Security Checklist",[89,90,92],"h4",{"id":91},"pre-launch-checklist","Pre-Launch Checklist",[13,94,95],{},"All sensitive routes use protectedProcedure",[13,97,98],{},"User ID from ctx.session.user (not input)",[13,100,101],{},"Zod schemas validate all inputs",[13,103,104],{},"NextAuth secret configured",[13,106,107],{},"Database connection string secured",[109,110,111,117],"related-articles",{},[112,113],"related-card",{"description":114,"href":115,"title":116},"Similar stack","/blog/blueprints/nextjs-prisma-planetscale","Next.js + Prisma + PlanetScale",[112,118],{"description":119,"href":120,"title":121},"Deep dive","/blog/guides/auth0","Authentication Guide",[123,124,125,130,133],"stack-comparison",{},[126,127,129],"h3",{"id":128},"alternative-stacks","Alternative Stacks",[13,131,132],{},"Consider these related blueprints:",[134,135,136,143,150],"ul",{},[137,138,139,142],"li",{},[140,141,116],"a",{"href":115}," - Without tRPC",[137,144,145,149],{},[140,146,148],{"href":147},"/blog/blueprints/nextjs-supabase-vercel","Next.js + Supabase + Vercel"," - With Supabase backend",[137,151,152,156],{},[140,153,155],{"href":154},"/blog/blueprints/mern-stack","MERN Stack"," - MongoDB/Express alternative",[158,159,162,166],"cta-box",{"href":160,"label":161},"/","Start Free Scan",[30,163,165],{"id":164},"check-your-t3-stack-app","Check Your T3 Stack App",[13,167,168],{},"Scan for auth and validation issues.",{"title":48,"searchDepth":170,"depth":170,"links":171},2,[172,173,174,175,179],{"id":32,"depth":170,"text":33},{"id":51,"depth":170,"text":52},{"id":64,"depth":170,"text":65},{"id":86,"depth":170,"text":87,"children":176},[177],{"id":128,"depth":178,"text":129},3,{"id":164,"depth":170,"text":165},"blueprints","2026-02-11","Security guide for T3 Stack (Next.js, tRPC, Prisma, NextAuth). Protect tRPC procedures, configure Prisma safely, implement NextAuth patterns, and secure your T3 app.",false,"md",null,"purple",{},true,"Complete security configuration for T3 Stack applications.","/blog/blueprints/t3-stack","12 min read","[object Object]","Article",{"title":5,"description":182},{"loc":190},"blog/blueprints/t3-stack",[],"summary_large_image","StgIIMsVKhlZMubbmk4JtPkoY1XppesZS5v2vCXHJpE",1775843920226]