SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Glossary/Server Actions
Application Security

Server Actions

Also known as: Next.js Server Actions, use server

Definition

Server Actions are Next.js functions marked with the 'use server' directive that run on the server and can be called from client components. Every Server Action is a public HTTP endpoint and must validate inputs with Zod, authorize identity from the session, and never trust user IDs from the request payload.

What are Server Actions?

A Server Action is a function in a Next.js App Router app that runs server-side and can be invoked directly from a client component. The compiler turns the function into an HTTP endpoint behind the scenes; the import on the client side becomes a network call.

Why are Server Actions a security boundary?

Because they are public HTTP endpoints. An attacker can construct the call manually with curl. Any validation that lives only in the React form is decoration; the action itself must validate. The canonical pattern is validate-authorize-query: safeParse the input with Zod, read identity from the session via getClaims, and only then perform the privileged operation.

What is the "userId from payload" anti-pattern?

A Server Action that accepts a userId parameter and uses it in the database query is an Insecure Direct Object Reference (IDOR). An attacker submits the victim's user ID and the action updates the victim's row. The fix: derive identity from the session cookie, never from the request payload.

Learn more

  • Server Actions + Zod in Next.js 16
  • Backend-only Data Access

Related terms

  • ZodZod is a TypeScript-first schema validation library that parses unknown input against a typed schema and returns either typed data or a structured error. In Server Actions, Zod is the validation layer that runs before any business logic, rejecting malformed or hostile input at the boundary.
  • IDORIDOR (Insecure Direct Object Reference) is a vulnerability class where an application uses a user-supplied identifier (such as a userId or recordId) to look up data without verifying the requester is authorized to access that specific object. IDOR is the most common Server Action bug in AI-generated Next.js code.
  • getClaimsgetClaims is the Supabase Auth method that locally validates a JWT against the cached public key from the project's JWKS endpoint and returns the parsed claims. It replaces getSession for authorization because getSession reads the cookie without re-validating the signature.
  • Backend-only data accessBackend-only data access is an architectural pattern where the database is never queried directly from the browser. All queries run through Server Actions or Route Handlers using the service_role key, after server-side authentication and Zod validation. The browser only receives data the server explicitly returns.
← Back to full glossary