Idk, I think that if it fits what you look for and you haven't found you in trouble, you have already answered the question. 🤷🏾‍♂️

I believe it is possible for people to overlook the importance of ensuring server actions are secure, primarily due to the fact that they may not perceive them as APIs. However, it is crucial to know that these actions involve HTTP POST requests.

1. Other front ends (e.g. a mobile app) cannot consume the server action.
2. Server actions cannot be run in parallel.

Also server actions cant be called as a callback in a middleware i believe if ever in the future you want to add rate limiting or auth or https statuc check

middleware is already on the server, so you don't need server actions or api routes there to run server side logic. in only very specific obscure circumstances do you need to fetch your own api routes in middleware.

Ah thank you. How would I secure server actions?

You need add “use server”

On the server action

If your calling the it inside a client component

so that makes it secure?

That makes it so no one can access the component, if you are using an api key or doing validation inside a server action you dont want users on the client side to acesss it because they can see your api leys and bypass any validation

So does it make it secure to not expose your api key and allow input validation then yes

ah, ty

but server actions cannot be run by anyone, how can they be ddosed?

Stop spreading false information, especially after @joulev corrected you already. It's one thing to be wrong or not know about something but you have been told facts 3 messages above yours.

Here is rate limiting within a server action from my code base:

"use server"
... imports

// Rate Limiter
const rateLimiter = new Ratelimit({
  redis: Redis.fromEnv(),
  analytics: true,
  limiter: Ratelimit.fixedWindow(20, "3600 s"),
})

export async function generateNames(
  userInput: string,
  subClass: BusinessNameGeneratorSubclasses
) {
  
  if (!userInput) {
    return { error: "No User Input." }
  }

  // Rate Limiting
  const ip =
    headers().get("x-forwarded-for") ??
    headers().get("x-real-ip") ??
    "anonymous"
  const { success } = await rateLimiter.limit(ip)
  ...
}

@American Crow thank you and sorry, i dont mean to spread false info, i help on react discord too. I read over now and i updated my comments, but i know for sure server actions must be marked use server if called in client because it says so in the official docs. Thanks though i will update my info!

@Polar bear @American Crow has updated the info so please refer to that if you do plan on adding rate limiting in server actions

Thank you for recognizing this. It is commendable that you are trying to help others and you should continue to do so. But if an experienced dev/mod like joulev corrects you, you have to respect that.