Enhanced Security for Server Functions

[hckhanh]

When I took a look at the new feature updates from Next.js

Server Actions are server-side functions that can be called from the client. They are defined by adding the 'use server' directive at the top of a file and exporting an async function.

Even if a Server Action or utility function is not imported elsewhere in your code, it's still a publicly accessible HTTP endpoint. While this behavior is technically correct, it can lead to unintentional exposure of such functions.

To improve security, we've introduced the following enhancements:

Dead code elimination: Unused Server Actions won't have their IDs exposed to the client-side JavaScript bundle, reducing bundle size and improving performance.
Secure action IDs: Next.js now creates unguessable, non-deterministic IDs to allow the client to reference and call the Server Action. These IDs are periodically recalculated between builds for enhanced security.

// app/actions.js
'use server';
 
// This action **is** used in our application, so Next.js
// will create a secure ID to allow the client to reference
// and call the Server Action.
export async function updateUserAction(formData) {}
 
// This action **is not** used in our application, so Next.js
// will automatically remove this code during `next build`
// and will not create a public endpoint.
export async function deleteUserAction(formData) {}

You should still treat Server Actions as public HTTP endpoints. Learn more about securing Server Actions.

I realize that our framework needs a feature like this

[schiller-manuel]

interesting, we should revisit this once we have merged alpha to main