| name | reviewing-server-actions |
| description | Review Server Actions for security, validation, and best practices in React 19. Use when reviewing forms, mutations, or server-side logic. |
| review | true |
| allowed-tools | Read, Grep, Glob |
| version | 1.0.0 |
Review: Server Actions
Security Checklist
Input Validation
- All inputs validated with schema (zod, yup, etc.)
- Type coercion handled correctly (FormData.get returns strings)
- Length limits enforced
- No SQL injection vulnerabilities
For runtime validation patterns and type safety, use the using-runtime-checks skill from the typescript plugin.
If reviewing Zod schema validation patterns, use the validating-schema-basics skill for type-safe Zod v4 schema patterns.
Authentication & Authorization
- Session/auth checked before mutations
- User permissions verified
- Resource ownership validated
- No unauthorized access possible
For secure credential handling, use the SECURITY-credentials skill from the typescript plugin.
Data Sanitization
- User input sanitized before storage
- No XSS vulnerabilities
- File uploads validated (type, size, content)
- Dangerous operations require confirmation
Best Practices
Error Handling
- Try-catch blocks for async operations
- Specific error messages for users
- No sensitive data in error messages
- Logging for debugging
Return Values
- Return serializable objects only
- Consistent response format
- Success and error states handled
- Field-specific errors when needed
Performance
- Database queries optimized
- No N+1 query problems
- Appropriate use of transactions
- Rate limiting where needed
Anti-Patterns to Flag
- ❌ No validation (trusting client input)
- ❌ No authentication checks
- ❌ Returning non-serializable values (functions, classes)
- ❌ Missing error handling
- ❌ Exposing sensitive data
- ❌ Direct database queries without sanitization
- ❌ No rate limiting on critical actions
For comprehensive Server Actions security, see: research/react-19-comprehensive.md lines 723-729, 1808-1942.