Back to all Insights
May 21, 2026

The Hidden API Vulnerability: Securing Next.js Server Actions

By Paresh Prajapati • Lead Architect

The Hidden API Vulnerability: Securing Next.js Server Actions

The Illusion of Local Functions

Next.js Server Actions are a paradigm shift for React development. They allow you to write backend database mutations right next to your frontend components and call them directly, eliminating the need to manually build and fetch from an /api directory.

Because they feel exactly like calling a local JavaScript function, developers often fall into a dangerous psychological trap: they forget that Server Actions are public API endpoints.

If you create an action called deleteUserInvoice(invoiceId) and attach it to a "Delete" button that is only visible to Admins, you might think you are safe. You aren't. Anyone can open their browser's Network tab, find the generated URL for that Server Action, and send a raw HTTP POST request to it with any invoiceId they want. If you don't secure the action itself, they will delete data they don't own.

Architecting Secure Actions

At Smart Tech Devs, we enforce a strict rule: You must validate authentication, authorization, and data ownership inside the Server Action, every single time.

Step 1: The Vulnerable Action (Anti-Pattern)


// ❌ THE ANTI-PATTERN: Completely exposed to the public internet
"use server";
import db from '@/lib/db';

export async function deleteInvoice(invoiceId: string) {
    // Anyone can trigger this if they guess an invoiceId!
    await db.invoice.delete({ where: { id: invoiceId } });
    return { success: true };
}

Step 2: The Enterprise Pattern (Secure Action)

To secure this, we must reconstruct the context. Who is calling this? Do they own the invoice? Do they have permission to delete it?


// ✅ THE ENTERPRISE PATTERN: Zero-Trust Architecture
"use server";

import { getServerSession } from 'next-auth'; // Or your auth provider
import db from '@/lib/db';
import { z } from 'zod';

// Validate the input strictly
const schema = z.object({ invoiceId: z.string().uuid() });

export async function deleteInvoice(invoiceId: string) {
    // 1. Verify Authentication
    const session = await getServerSession();
    if (!session?.user) {
        throw new Error("Unauthorized"); // Or return a safe error object
    }

    // 2. Validate Input
    const parsed = schema.safeParse({ invoiceId });
    if (!parsed.success) {
        throw new Error("Invalid Input");
    }

    // 3. Verify Ownership / Authorization
    const invoice = await db.invoice.findUnique({
        where: { id: parsed.data.invoiceId }
    });

    if (!invoice || invoice.tenantId !== session.user.tenantId) {
        throw new Error("Forbidden: You do not own this resource.");
    }

    // 4. Finally, perform the safe mutation
    await db.invoice.delete({ where: { id: parsed.data.invoiceId } });
    
    return { success: true };
}

Scaling Security with Action Wrappers

Writing those 4 steps in every single Server Action violates DRY principles. For large SaaS platforms, we highly recommend utilizing an open-source action wrapper like next-safe-action. This allows you to define a middleware-like wrapper that automatically checks sessions and validates Zod schemas before your action's core logic ever runs.

Conclusion

Never rely on the UI to protect your database. Hiding a button in React does not hide the Server Action from the internet. Treat every single Next.js Server Action with the exact same paranoia, strict validation, and authorization checks as a traditional REST API endpoint.

Paresh Prajapati
Lead Architect, Smart Tech Devs