HIGHSecuritytrivialNext.js + Supabase Standards

Mark server modules with import "server-only"

Add import "server-only" to any module that uses secrets, database connections, or server-only APIs.

Why This Matters

Without the server-only marker, Next.js won't prevent accidental imports into client components. The build succeeds but secrets leak.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 2+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

The server-only package is a build-time safeguard. When imported, any attempt to bundle this module for the client will throw a build error.

Good

// lib/supabase/admin.ts
import "server-only"
 
export function createAdminClient() {
  return createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY!)
}

How to Install

npm install server-only

Add import "server-only" as the first line of any file that:

Uses SUPABASE_SERVICE_ROLE_KEY
Accesses database directly
Reads non-NEXT_PUBLIC_ env vars

Mark server modules with import "server-only"

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

How to Install