Nuxt 3 + Drizzle + Vercel security playbook

Updated Apr 24, 2026

Nuxt + Drizzle = type-safe full-stack. Security questions: server/api auth, runtimeConfig scope confusion, server-route rate limits.

What breaks on this stack

Server route without auth

server/api/*.ts files accept any caller unless middleware adds auth.

Read the guide →

runtimeConfig.public misuse

Server secrets in runtimeConfig.public ship to client.

Read the guide →

BOLA on dynamic server routes

server/api/orders/[id].ts without ownership check.

Read the guide →

Drizzle raw SQL

drizzle's sql\`raw\` template requires care; use parameter binding.

Read the guide →

Pre-ship checklist

server-route middleware enforces auth
runtimeConfig private for secrets
ownership check on every dynamic route
Drizzle parameterized queries
rate limit on paid-API proxy routes
Vercel deploy-gate enabled

Starter config

// server/middleware/auth.ts
export default defineEventHandler(async (event) => {
  if (event.path.startsWith("/api/private")) {
    const user = await getUser(event);
    if (!user) throw createError({ statusCode: 401, statusMessage: "Unauthenticated" });
    event.context.user = user;
  }
});