You’re leaking data with Server Actions in Next.js (accidentally)

preview_player
Показать описание
#nextjs #react #javascript #typescript

You need to be careful while using ‘use server’ in Server Actions as it’s too easy to leak data.

Because there is so much confusion already with use client and use server, i.e. client and server components so I don’t blame you but this one is too easy to fall through the cracks.

So if you are making these mistakes, learn how you can avoid the mistake, how it can lead to a security breach and review your previous code as you might have done the same.

⏰ Timeline
00:00 - What this video covers?
00:59 - What are Server Actions & Why you should use them?
2:59 - App Demo
9:26 - How are you leaking data?
11:17 - Mistakes & Common MisConceptions

🔗 RESOURCES:

💌 Frontend Newsletter:
If you liked this video, you will also love my newsletter Frontend Snacks. You will learn a new topic each week with cool visuals and snippets, the latest frontend news and behind-the-scenes exclusive updates that I don't share anywhere else.

☎️ Book a 1:1 coaching session with me

🐤 Find me here
  1. Ankita Kulkarni
Рекомендации по теме
You’re leaking data 0:14:54

You’re leaking data with Server Actions in Next.js (accidentally)

NextJS 'use server' 0:17:12

NextJS 'use server' Trap (Accidentally Leaking Data)

🔴YOUR VPN LEAKING 0:08:09

🔴YOUR VPN LEAKING DATA - HOW TO CHECK & STOP IT !

Does Your Website 0:05:02

Does Your Website Leak Information?

Data Leaks and 0:04:29

Data Leaks and Their Effects: How to check if your data has been leaked?

How to find 0:02:01

How to find memory leak in JavaScript

How DNS Leaks 0:04:40

How DNS Leaks Reveal Your Browsing History

Is your VPN 0:07:21

Is your VPN leaking data? | Live DNS leak testing

Google's secret algorithm 0:03:45

Google's secret algorithm exposed via leak to GitHub…

What is memory 0:03:22

What is memory leak?

Multi-Tenant: Database Per 0:08:55

Multi-Tenant: Database Per Tenant or Shared?

🔴WARNING - YOUR 0:06:37

🔴WARNING - YOUR VPN IS LEAKING DATA

Don't Lose Your 0:20:48

Don't Lose Your Data Like a Dummy

DNS Leaks Explained 0:04:18

DNS Leaks Explained | Learn How to Check and Fix DNS Leaks!

Kids vs. MALWARE!! 0:00:58

Kids vs. MALWARE!!

How to tell 0:03:40

How to tell if your windows 10 or 11 computer has been hacked

DNS leaks explained 0:04:02

DNS leaks explained | Learn how to check and fix DNS leaks!

Do you know 0:00:57

Do you know this Gmail hack??

This is What 0:00:42

This is What GTA V Looked Like in 2009

3 signs to 0:05:34

3 signs to Check if your Computer's HACKED [SPY SOFTWARE]

How to know 0:10:19

How to know if your PC is hacked? Suspicious Network Activity 101

NEVER buy from 0:00:46

NEVER buy from the Dark Web.. #shorts

Cloudflare Data Leak 0:00:38

Cloudflare Data Leak

Why I no 0:11:25

Why I no longer use a VPN (most of the time) and nor should you

Комментарии
Автор

Can you make a dedicated course on next.js

vipulgupta
Автор

This video is pretty disingenuous. The title should be, "You're exposing data by not authenticating API routes". It has literally nothing to do with Next.js or Server Actions. Any API route created using any technology would be "leaking" data in the same way if the route is unauthenticated. Advertising a workshop 2 minutes in is also hilarious. Will you be teaching prospective engineers about this massive risk in Next.js? Perhaps you should instead be teaching them good data management theory. Rather than blaming parts of the technology for this engineering failure why not teach them to think about data holistically.

1. What data in this route is sensitive?
2. Should the data be limited by some attribute of the user?
3. If not, are we simply providing too much data on this route?

In your example, you are exposing all your products... which would be exposed on your site anyways. There is no data leak, in fact, the route created would be a viable one for resellers to utilize in order to pull a real time product list and so could serve additional use cases. I also completely disagree with the idea that engineers should not make exports out of server actions if they aren't immediately planning on re-using them. Functions should be reusable, this is how we build good scalable code. If the code isn't reusable, the real question is why? If it's an authentication issue, then that's an authentication failure not an "exporting something when you shouldn't" failure.

GamerUnderDev
Автор

I was doing data recovery on server actions. but I saw a video on youtube of a senior doing it on the server component. I'm still waiting for your response. I have 2 questions. 1. If the data recovery function needs it in 2 components, can I put it in another file, should it be .ts or .tsx? 2. Definitely the recovery functions would only be in server compent? no exception? to refactor my code. and I have 2 requests. 1. you can make a video about unstable_cache. I saw a video but I don't know what's special about it, I think it's for tag a prisma or a SQL query. since it does not have the tag or revalidate property as in "fetch". 2. You could talk about the react query. Is the caching only on the client side? I mean this doesn't apply to subsequent users who visit the page? Or is the cache only saved by the user who is visiting the application?. 3. The authentication validation, if it is a valid or logged in user, just put it in Middleware or should I put it in both places in the actions and Middleware? How did you say that you have to treat them as public APIs? Or do I just put it in Middleware? thanks

carlosterrazas