Server actions run code on the server to keep data safe and private. Understanding security helps protect your app from bad users.
"use server" export async function myServerAction(data) { // server-side logic here return result; }
"use server" export async function addUser(name) { // Validate input if (!name) throw new Error('Name is required'); // Save user to database return await db.users.create({ name }); }
"use server" export async function deleteUser(id) { // Check user permissions if (!userIsAdmin()) throw new Error('Not authorized'); // Delete user from database return await db.users.delete({ where: { id } }); }
This server action checks if the user is logged in by looking for an auth token cookie. It also validates the message length before saving. This keeps the app safe from unauthorized or bad data.
import { cookies } from 'next/headers'; "use server" export async function secureServerAction(data) { // Check if user is authenticated via cookie const cookieStore = cookies(); const token = cookieStore.get('authToken'); if (!token) { throw new Error('User not authenticated'); } // Validate input if (!data.message || data.message.length > 100) { throw new Error('Invalid message'); } // Simulate saving message securely return `Message saved: ${data.message}`; }
Always validate and sanitize inputs on the server to avoid bad data or attacks.
Never trust data coming from the client; always check permissions and authentication.
Keep secret keys and tokens only on the server, never send them to the browser.
Server actions run only on the server to protect sensitive logic.
Always check user authentication and permissions inside server actions.
Validate all inputs to keep your app safe from bad data or attacks.