Skip to main content
Docs

Securing your app

Your application faces security threats like credential stuffing, brute force attacks, and cross-site scripting. Clerk provides built-in protections and configurable features to defend against them.

This page maps common threats to the Clerk features that protect your application, so you can quickly find the right configuration for your security needs.

Attack protection

Clerk provides several features to protect your application from common authentication attacks. These features are configurable in the Clerk Dashboard.

ThreatDescriptionClerk feature
Credential stuffingAttackers use lists of stolen passwords to gain unauthorized access to accounts.Client Trust automatically requires a second factor on new devices.
Brute force attacksAutomated scripts try many passwords against a single account.User lockout locks accounts after repeated failed attempts.
Bot attacksAutomated bots create fake accounts at scale.Bot protection uses Cloudflare to challenge suspicious sign-ups.
Account enumerationAttackers probe your application to discover which accounts exist.User enumeration protection adds rate limiting and, in strict mode, hides whether an account exists.
Compromised passwordsUsers reuse passwords that have appeared in data breaches.Password protection and rules checks passwords against known breaches and enforces strength requirements.
Spam and abuse accountsAttackers create throwaway accounts using disposable emails or blocked domains.Restrictions provides allowlists, blocklists, and disposable email blocking.

Web security best practices

Clerk provides recommended protections and configurable features to address common web security concerns.

ThreatDescriptionHow Clerk protects you
Cross-site scripting (XSS)Malicious scripts injected into trusted pages steal user data.XSS leak protection uses HttpOnly cookies for authenticated requests and limits token exposure with short-lived app-domain tokens.
Cross-site request forgery (CSRF)Attackers trick users into submitting unintended requests.CSRF protection configures cookies with SameSite.
Content injectionAttackers inject unauthorized scripts or styles into your pages.Configure CSP headers to restrict which resources can load on your pages.
Session fixationAttackers hijack sessions by reusing session identifiers.Fixation protection resets session tokens on sign-in and sign-out.
Phishing via email linksAttackers exploit email verification links to gain access.If enabled, Protecting email links enforces same-device and same-browser verification.
Unauthorized device accessSomeone signs in from an unrecognized device without the account owner's knowledge.Unauthorized sign-in notifications alert users and allow session revocation.

Additional security features

Beyond attack-specific protections, Clerk provides features that strengthen your overall security posture:

  • Reverification (step-up authentication) — Require users to re-verify their identity before performing sensitive actions like changing their password or accessing billing settings.
  • Session options — Configure session lifetimes, inactivity timeouts, and single-session mode to control how long sessions stay active.
  • Geo blocking — Restrict access to your application based on geographic location.

Next steps

Enable Client Trust

Protect your users from credential stuffing attacks with automatic second-factor verification on new devices.

Configure password protection

Enforce password strength requirements and check passwords against known data breaches.

Set up bot protection

Prevent automated bots from creating fake accounts in your application.

Review session options

Configure session lifetimes and timeouts to balance security with user experience.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub