Should the Server Actions documentation warn about leaking secrets?
Unanswered
Northern Goshawk posted this in #help-forum
Northern GoshawkOP
Twitter: https://x.com/fredkisss/status/1716608302522454094?s=20
CodeSandbox: https://codesandbox.io/p/github/mikedidomizio/nextjs-server-actions-leaky-env-vars/main
Should the documentation for Server Actions warn about ways that secrets could be leaked to the client? It seems that by using server components and server actions using "use server" inline of the component, it could be easily missed/mistaken to be totally server side and safe.
It wouldn't surprise me if there are apps out there right now with secrets leaked.
CodeSandbox: https://codesandbox.io/p/github/mikedidomizio/nextjs-server-actions-leaky-env-vars/main
Should the documentation for Server Actions warn about ways that secrets could be leaked to the client? It seems that by using server components and server actions using "use server" inline of the component, it could be easily missed/mistaken to be totally server side and safe.
It wouldn't surprise me if there are apps out there right now with secrets leaked.
9 Replies
Alfonsus Ardani
They have mentioned about Server Action being encrypted in the future version
Northern GoshawkOP
Yep, which is great but I worry about the apps out there right now.
Alfonsus Ardani
Here for more information https://nextjs.org/blog/security-nextjs-server-components-actions#closures
The app out there either havent used Server Action since they how alpha they were, or have used it but in a different file
I think you are right to certain extend but its only a very small fraction of code that will get affected
edit: In Next.js 14
Northern GoshawkOP
I'm kind of on the fence, having server actions labelled as experimental and warning people in the compiler
Experiments (use at your own risk) is great but it doesn't mean we shouldn't warn people if we find issues with the features in the documentation before Next@14.
joulev
i wholly agree with you here, they indeed should've documented this, along with many other security must-haves e.g. validation of arguments and closure values. they didn't document any of that.
but they released a blog post recently on this, linked above, and i got words from them that the content of this blog post will be added to the server actions documentation
but they released a blog post recently on this, linked above, and i got words from them that the content of this blog post will be added to the server actions documentation
so tomorrow when server actions reach stable, don't worry, they will (probably) merge the doc and you will get security notes there