Back to Skills
Skill

reviewing-server-actions

Review Server Actions for security, validation, and best practices in React 19. Use when reviewing forms, mutations, or server-side logic.

From react-19
Install
1
Run in your terminal
$
npx claudepluginhub djankies/claude-configs --plugin react-19
Tool Access

This skill is limited to using the following tools:

ReadGrepGlob
Skill Content

Review: Server Actions

Security Checklist

Input Validation

  • All inputs validated with schema (zod, yup, etc.)
  • Type coercion handled correctly (FormData.get returns strings)
  • Length limits enforced
  • No SQL injection vulnerabilities

For runtime validation patterns and type safety, use the using-runtime-checks skill from the typescript plugin.

If reviewing Zod schema validation patterns, use the validating-schema-basics skill for type-safe Zod v4 schema patterns.

Authentication & Authorization

  • Session/auth checked before mutations
  • User permissions verified
  • Resource ownership validated
  • No unauthorized access possible

For secure credential handling, use the SECURITY-credentials skill from the typescript plugin.

Data Sanitization

  • User input sanitized before storage
  • No XSS vulnerabilities
  • File uploads validated (type, size, content)
  • Dangerous operations require confirmation

Best Practices

Error Handling

  • Try-catch blocks for async operations
  • Specific error messages for users
  • No sensitive data in error messages
  • Logging for debugging

Return Values

  • Return serializable objects only
  • Consistent response format
  • Success and error states handled
  • Field-specific errors when needed

Performance

  • Database queries optimized
  • No N+1 query problems
  • Appropriate use of transactions
  • Rate limiting where needed

Anti-Patterns to Flag

  • ❌ No validation (trusting client input)
  • ❌ No authentication checks
  • ❌ Returning non-serializable values (functions, classes)
  • ❌ Missing error handling
  • ❌ Exposing sensitive data
  • ❌ Direct database queries without sanitization
  • ❌ No rate limiting on critical actions

For comprehensive Server Actions security, see: research/react-19-comprehensive.md lines 723-729, 1808-1942.

Similar Skills
cache-components

Expert guidance for Next.js Cache Components and Partial Prerendering (PPR). **PROACTIVE ACTIVATION**: Use this skill automatically when working in Next.js projects that have `cacheComponents: true` in their next.config.ts/next.config.js. When this config is detected, proactively apply Cache Components patterns and best practices to all React Server Component implementations. **DETECTION**: At the start of a session in a Next.js project, check for `cacheComponents: true` in next.config. If enabled, this skill's patterns should guide all component authoring, data fetching, and caching decisions. **USE CASES**: Implementing 'use cache' directive, configuring cache lifetimes with cacheLife(), tagging cached data with cacheTag(), invalidating caches with updateTag()/revalidateTag(), optimizing static vs dynamic content boundaries, debugging cache issues, and reviewing Cache Component implementations.

138.5k
Stats
Parent Repo Stars0
Parent Repo Forks0
Last CommitNov 25, 2025
Actions
View SourceView PluginView on GitHubView README