Server Actions — what are they and what security rule must you remember?

Deep dive

Server Actions are server-side functions (typically marked with `'use server'`) that can be called from:

• `<form action={myAction}>` submissions,
• Client Components via action props.

They run on the server, so they can access secrets, databases, and internal services. They also integrate with cache invalidation (`revalidatePath`, `revalidateTag`) after mutations.

Example

'use server'

export async function updateName(formData: FormData) {
  const name = String(formData.get('name') ?? '')
  if (name.length < 2) throw new Error('Invalid name')

  const user = await requireUser()
  await db.user.update({ where: { id: user.id }, data: { name } })
}

The security rule to remember

Treat a Server Action like a **public API endpoint**:

• validate and sanitize inputs,
• authenticate the caller,
• authorize the operation (ownership/role checks),
• don’t rely on “the button is hidden in the UI”.

Common pitfalls

• Missing authorization checks (any logged-in user can trigger it).
• Accepting unchecked input (mass assignment / injection risks).
• Returning sensitive data back to the client unintentionally.