Review: Server Actions
Security Checklist
Input Validation
- • All inputs validated with schema (zod, yup, etc.)
- • Type coercion handled correctly (FormData.get returns strings)
- • Length limits enforced
- • No SQL injection vulnerabilities
For runtime validation patterns and type safety, use the using-runtime-checks skill from the typescript plugin.
If reviewing Zod schema validation patterns, use the validating-schema-basics skill for type-safe Zod v4 schema patterns.
Authentication & Authorization
- • Session/auth checked before mutations
- • User permissions verified
- • Resource ownership validated
- • No unauthorized access possible
For secure credential handling, use the SECURITY-credentials skill from the typescript plugin.
Data Sanitization
- • User input sanitized before storage
- • No XSS vulnerabilities
- • File uploads validated (type, size, content)
- • Dangerous operations require confirmation
Best Practices
Error Handling
- • Try-catch blocks for async operations
- • Specific error messages for users
- • No sensitive data in error messages
- • Logging for debugging
Return Values
- • Return serializable objects only
- • Consistent response format
- • Success and error states handled
- • Field-specific errors when needed
Performance
- • Database queries optimized
- • No N+1 query problems
- • Appropriate use of transactions
- • Rate limiting where needed
Anti-Patterns to Flag
- • ❌ No validation (trusting client input)
- • ❌ No authentication checks
- • ❌ Returning non-serializable values (functions, classes)
- • ❌ Missing error handling
- • ❌ Exposing sensitive data
- • ❌ Direct database queries without sanitization
- • ❌ No rate limiting on critical actions
For comprehensive Server Actions security, see: research/react-19-comprehensive.md lines 723-729, 1808-1942.