Review: Server Actions

Security Checklist

Input Validation

• All inputs validated with schema (zod, yup, etc.)
• Type coercion handled correctly (FormData.get returns strings)
• Length limits enforced
• No SQL injection vulnerabilities

For runtime validation patterns and type safety, use the using-runtime-checks skill from the typescript plugin.

If reviewing Zod schema validation patterns, use the validating-schema-basics skill for type-safe Zod v4 schema patterns.

Authentication & Authorization

• Session/auth checked before mutations
• User permissions verified
• Resource ownership validated
• No unauthorized access possible

For secure credential handling, use the SECURITY-credentials skill from the typescript plugin.

Data Sanitization

• User input sanitized before storage
• No XSS vulnerabilities
• File uploads validated (type, size, content)
• Dangerous operations require confirmation

Best Practices

Error Handling

• Try-catch blocks for async operations
• Specific error messages for users
• No sensitive data in error messages
• Logging for debugging

Return Values

• Return serializable objects only
• Consistent response format
• Success and error states handled
• Field-specific errors when needed

Performance

• Database queries optimized
• No N+1 query problems
• Appropriate use of transactions
• Rate limiting where needed

Anti-Patterns to Flag

• ❌ No validation (trusting client input)
• ❌ No authentication checks
• ❌ Returning non-serializable values (functions, classes)
• ❌ Missing error handling
• ❌ Exposing sensitive data
• ❌ Direct database queries without sanitization
• ❌ No rate limiting on critical actions

For comprehensive Server Actions security, see: research/react-19-comprehensive.md lines 723-729, 1808-1942.