惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
T
Threatpost
P
Palo Alto Networks Blog
NISL@THU
NISL@THU
O
OpenAI News
Project Zero
Project Zero
G
GRAHAM CLULEY
P
Privacy International News Feed
A
Arctic Wolf
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
D
Docker
aimingoo的专栏
aimingoo的专栏
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
云风的 BLOG
云风的 BLOG
雷峰网
雷峰网
W
WeLiveSecurity
P
Proofpoint News Feed
腾讯CDC
Cloudbric
Cloudbric
S
Secure Thoughts
C
Check Point Blog
博客园 - Franky
T
The Exploit Database - CXSecurity.com
T
Troy Hunt's Blog
GbyAI
GbyAI
Security Archives - TechRepublic
Security Archives - TechRepublic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
TaoSecurity Blog
TaoSecurity Blog
L
Lohrmann on Cybersecurity
V
Visual Studio Blog
F
Fortinet All Blogs
博客园 - 叶小钗
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
C
Cisco Blogs
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
I built a production ready NEXT.JS starter so you dont have to!
Salman Shahriar · 2026-06-22 · via DEV Community

Every time I started a new Next.js project, I lost the first week to setup.

Authentication. Internationalization. Role-based access. SEO meta tags. Environment validation. Error monitoring. Linting. Testing. CI pipelines.

By the time I had a working foundation, the excitement was gone, buried under configuration files and boilerplate glue code.

I kept rebuilding the same foundation across SaaS projects, so I stopped and built it once: Next Elite.

It is a frontend-first Next.js 16 + React 19 boilerplate designed to consume APIs (REST/GraphQL/BFF) instead of owning a database, allowing you to drop it on top of any backend you already have. It is optimized for speed, SEO, and developer productivity, and it is 100% open source under the MIT license.

Live Demo · GitHub Repo · Use This Template · Deploy on Vercel

Next.js Elite production-ready SaaS boilerplate cover

TL;DR: git clone, npm install, cp .env.example .env, npm run dev. You get auth, RBAC dashboards, 6-language i18n, SEO, forms, testing, and CI. Try the demo.


Table of Contents

  1. Why Another Next.js Boilerplate? (The Concept)
  2. What's Inside: The Next Elite Stack & Features
  3. Lighthouse Score: 100% Performance & SEO
  4. Quick Start: Launch Your Project in 60 Seconds
  5. Deep Dive: How Next Elite Works Under the Hood
  6. Clean Feature-Based Directory Structure
  7. Architectural Caveats: What Next Elite is NOT
  8. Production Checklist: Going Live
  9. Contributing & Open Source

1. Why Another Next.js Boilerplate? (The Concept)

Most Next.js starters on GitHub are either too bare (providing just a dark mode toggle and a "TODO: add auth" comment) or too bloated (bundling Prisma, PostgreSQL, Docker Compose, stripe webhooks, and an ORM tightly coupled to their own DB schema).

If you already have a backend (written in Go, Python, Laravel, or Node.js) or want to build a backend-for-frontend (BFF) architecture, tearing out the built-in database layer from a boilerplate is painful.

Next Elite sits in the sweet spot. It handles the complex frontend foundation, UI components, role management, and locale settings while leaving the database and api fetching structure flexible. It’s built to consume APIs directly, allowing you to drop it on top of any backend you already have.

Who is this boilerplate for?

  • SaaS applications requiring complex role authorization.
  • Internationalized projects that need to support multiple languages (LTR and RTL).
  • Frontend-first architectures consuming REST, GraphQL, or a backend-for-frontend (BFF).
  • Single-page landing websites (Next Elite is likely overkill).
  • Tightly-coupled monoliths requiring a database layer in the same repository.

2. What's Inside: The Next Elite Stack & Features

Here is the clean, high-performance tech stack built into Next Elite, broken down by core categories:

Frameworks & Core

  • Next.js 16 (App Router) & React 19 – Fast, modern React framework with full support for React 19 features (Server/Client components, Server Actions).
  • TypeScript 6 – End-to-end type safety for rock-solid refactoring and developer experience.
  • Node.js 22 (LTS) – Built on the latest LTS runtime.
  • Feature-Based Architecture – Structured around self-contained vertical slices/feature folders under src/features/ for maximum modularity and clean separation of concerns.

Authentication & Access Control

  • BetterAuth – Out-of-the-box email/password and OAuth (Google) authentication using /api/auth/* route handlers. Configure admin emails via AUTH_ADMIN_EMAILS or NEXT_PUBLIC_AUTH_ADMIN_EMAILS.
  • Role-Based Access Control (RBAC) – Flexible RBAC (user and admin roles) with server-side guards (requireUser, requirePermission) and parallel route slots (@admin, @user) for role-agnostic routing.

Internationalization (i18n)

  • next-intl – Type-safe, cookie-based localizations (no URL prefix) with support for English, বাংলা, العربية (RTL), Français, Español, and 简体中文. Translation keys are type-checked (t("key") works; typos fail compile-time).

UI & Styling

  • shadcn/ui – Highly customizable UI components built with Tailwind CSS, Radix UI, and CVA.

    Next Elite UI Components
  • Theme Support – Clean light/dark mode transitions via theme toggle.

API & Data Fetching

  • TanStack Query (React Query) – Powerful client-side state management, caching, and data synchronization.
  • apiFetch Client – A custom Zod-validated ofetch wrapper in src/libs/api-client.ts supporting type-safe queries and mutations. Includes a complete users example feature.

Observability & Infrastructure

  • Sentry Integration – Complete error tracking and performance instrumentation for client and server.
  • Logging – Clean, fast server-side logging using pino.
  • Rate Limiting – Optional rate-limiting helper using Upstash Redis.
  • Health Probes – Direct GET /api/health endpoint for load balancers.

Quality Gates & Tooling

  • Testing Suite – Unit/component testing with Vitest and React Testing Library, and E2E testing with Playwright.
  • Hygiene & Linting – ESLint 9, Prettier formatting, and Knip for dead code/dependency hygiene.
  • Git Hook Automation – Lefthook pre-commit hooks and Commitlint to maintain codebase quality.

3. Lighthouse Score: 100% Performance & SEO

One of the key goals of Next Elite was achieving flawless performance and SEO defaults. Out-of-the-box, the production build scores a perfect 100 across the board on Lighthouse:

Next Elite Lighthouse Report - 100 Performance, Accessibility, Best Practices, and SEO

This is achieved by rendering Server Components by default, minimizing client-side javascript, optimizing images, and dynamically serving optimized SEO meta tags from a single configuration file.


4. Quick Start: Launch Your Project in 60 Seconds

Local Setup

Getting started is simple. Clone the repository, install dependencies, copy environment variables, and run:

git clone https://github.com/salmanshahriar/Next-Elite.git
cd Next-Elite
npm install
cp .env.example .env
npm run dev

Open http://localhost:3000 to see your app running locally.

Demo Credentials

When NEXT_PUBLIC_DEMO_MODE=true is enabled, the login screen includes a quick-fill panel with these seed credentials:

Role Email Password
User user@test.com 12345678
Admin admin@test.com 12345678

[!NOTE]
For production deployments, set NEXT_PUBLIC_DEMO_MODE=false or remove the self-contained src/features/auth/demo/ module.

Docker Setup

Run the application locally via Docker:

cp .env.example .env
docker build -t next-elite .
docker run --rm --env-file .env -p 3000:3000 next-elite

Or using Docker Compose:

docker compose up --build

View Available Scripts & CLI Commands

Command Description
npm run dev Start the dev server (Turbopack)
npm run build Production build
npm run start Start the production server
npm run analyze Build with @next/bundle-analyzer
npm run typecheck tsc --noEmit
npm run lint ESLint + Prettier check
npm run lint:fix Auto-fix ESLint + Prettier
npm run knip Detect unused files / exports / dependencies
npm run check typecheck + lint + knip + tests (CI gate)
npm run test Vitest run
npm run test:watch Vitest watch
npm run e2e Playwright E2E
npm run e2e:ui Playwright UI mode
npm run e2e:webkit Playwright WebKit only

5. Deep Dive: How Next Elite Works Under the Hood

Architecture & Request Flow

Next Elite separates server-side security checks from client-side interactive components. Here is how a request flows:

Next Elite Architecture Flow

  1. User opens a page — the Server Component renders first.
  2. Auth + role checkrequireUser() / requirePermission() read the BetterAuth session and redirect to /login or /unauthorized if needed.
  3. HTML is sent to the browser; translations come from messages/ via next-intl.
  4. Live data (lists, forms, etc.) is fetched on the client with TanStack Query → apiFetch → your API.

🔐 Type-Safe RBAC & BetterAuth

Permissions are checked on the server, not with scattered if (role === 'admin') checks.

View Auth & RBAC Usage Example

// Server Component example
import { requirePermission } from '@/features/auth/rbac/require';

const AdminDashboardPage = async () => {
  // Guard the page on the server. If fails, it automatically redirects or errors.
  const user = await requirePermission('dashboard.view:admin');
  return <h1>Welcome {user.email}</h1>;
};

export default AdminDashboardPage;

Next Elite utilizes Next.js Parallel Routes to clean up role-agnostic layouts. The routing structure mounts specific slots based on the user's role:

src/app/(protected)/
  ├── @admin/dashboard/     # Admin dashboard slot
  ├── @user/dashboard/      # User dashboard slot
  └── layout.tsx            # Dynamically renders the correct dashboard

Adding a New Role

  1. Append the role to the UserRole union in src/features/auth/rbac/permissions.ts.
  2. Map permissions for the role in src/features/auth/rbac/roles.ts.
  3. Optional: add a parallel route slot — src/app/(protected)/@/... — and update (protected)/layout.tsx to render it based on permissions.

🌐 Zero-Prefix cookie-based i18n

Unlike standard i18n configurations that force prefixes like /en/ or /es/ in the URL (which can clutter routes and create duplicate routing configurations), Next Elite implements zero-prefix cookie-based locales.

Adding a Language

  1. Add the locale code to languages.supported in site.config.json and add an entry under languages.locales.
  2. Create messages/.json mirroring messages/en.json.
  3. The next-intl runtime picks it up automatically; types update from src/global.d.ts.

📈 Site & SEO Configuration

SEO parameters, sitemap generation, and manifests are driven by src/features/site/site.config.json as the single source of truth:

{
  "appName": "Next Elite",
  "domain": "https://yourdomain.com",
  "tagline": "Frontend-first, API-driven, batteries included.",
  "title": "Next Elite — Production-Ready SaaS Boilerplate",
  "description": "Frontend-first Next.js 16 + React 19 boilerplate with i18n, RBAC and BetterAuth."
}


📡 API client & Data Validation

The custom apiFetch client in src/libs/api-client.ts uses ofetch and integrates with Zod validation. This guarantees type-safe request schemas and API responses.

View API Fetch & Form Usage Examples

API Request:

// src/features/users/api.ts
export async function getUsers(): Promise {
  return apiFetch('/users', { schema: userListSchema });
}

Client Form with Zod validation:

'use client';

import { zodResolver } from '@hookform/resolvers/zod';
import { useForm } from 'react-hook-form';
import { loginSchema, type LoginInput } from '@/features/auth/schemas/login';

const form = useForm({
  resolver: zodResolver(loginSchema),
  defaultValues: { email: '', password: '' },
});


6. Clean Feature-Based Directory Structure

Next Elite uses a Feature-Based (Vertical Slice) Architecture under src/features/. Each folder contains its own API requests, components, hooks, schemas, and routing logic. Shared utilities live under src/libs/ or src/components/shared/.

Expand Directory Structure View

.
├── .github/
│   └── workflows/            # CI: lint, typecheck, tests, Playwright
├── config/                   # Vitest config &amp; test setup
├── e2e/                      # Playwright E2E tests
├── messages/                 # Translation JSONs (en, bn, ar, fr, es, zh)
├── public/                   # Static assets
├── src/
│   ├── app/                  # Next.js App Router Pages &amp; Layouts
│   │   ├── (auth)/           # Auth views (login, register, reset password)
│   │   ├── (public)/         # Public landing and marketing routes
│   │   └── (protected)/      # Protected area rendering slot-based RBAC
│   ├── components/
│   │   ├── shared/           # Cross-app reusable components
│   │   └── ui/               # shadcn UI primitive elements
│   ├── features/             # Self-contained feature folders (vertical slices)
│   │   ├── auth/             # BetterAuth configurations &amp; role management
│   │   ├── i18n/             # next-intl bootstrap and hooks
│   │   ├── site/             # Site details &amp; SEO configuration
│   │   └── users/            # Example modular API feature
│   └── libs/                 # Core wrapper clients (api-client, logger, env)
└── package.json              # Script configurations &amp; dependencies


7. Architectural Caveats: What Next Elite is NOT

To keep the boilerplate clean and adaptable, I made specific design trade-offs:

  1. No Database Bundled: There is no Prisma, Drizzle, Postgres, or MongoDB setup. Next Elite is built to communicate with an external API. If you need local mock data or a quick mock DB, you'll need to hook that up.
  2. Simple RBAC System: The starter RBAC covers two roles (user and admin) with a fast-path admin list via environment variables. For complex multi-tenant permissions, we recommend mapping roles on your main database and API layer.
  3. Cookie-Based i18n: By storing user localization choice in a cookie rather than a path-prefix (like /en/dashboard), routes remain simpler, but path-prefixed SEO indexing for multiple locales will require a custom router setup.
  4. Local BetterAuth Sessions: By default, session keys run locally. A session adapter is recommended for production setups using multiple server instances.

8. Production Checklist: Going Live

Before deploying Next Elite to production, run through these essential configuration steps:

  1. Configure Auth Secrets: Set BETTER_AUTH_SECRET (at least 32 characters long) in your hosting dashboard.
  2. Add a Session Storage Adapter: BetterAuth requires an external database or Redis adapter to manage server sessions in multi-instance production environments.
  3. Disable Demo Mode: Set NEXT_PUBLIC_DEMO_MODE=false or completely delete the src/features/auth/demo/ folder.
  4. Link Your API: Implement your backend endpoints or update NEXT_PUBLIC_APP_URL to point to your live REST/GraphQL/BFF service.
  5. Update SEO Metadata: Change site.config.json with your project domain name, official OG image, and app description.
  6. Activate Logging & Error Tracing: Add Sentry and Pino configurations to track errors in real-time.

9. Contributing & Open Source

Next Elite is free and open-source under the MIT license. Contributions, bug reports, and discussions are welcome!

  1. Fork the repository and create a feature branch (git checkout -b feat/my-feature).
  2. Ensure linting, types, and tests pass by running npm run check.
  3. Follow the Conventional Commits standard (which is automatically validated via Lefthook pre-commit hooks).
  4. Create a Pull Request back to the main branch.

If this starter boilerplate saves you development time, consider giving the repo a star! ⭐

Live Demo · GitHub Repo · Use Template · Deploy on Vercel