Server Action Validation

Server actions using formData without Zod/schema validation

criticalSecuritynext-server-action-validation

Why this matters

Server actions receive untrusted input from the client. Using formData.get() without validation is the same as trusting user input — injection, type confusion, and data corruption follow.

✗ Bad

"use server";

export async function createPost(formData: FormData) {
  const title = formData.get("title") as string;
  const body = formData.get("body") as string;
  await db.post.create({ data: { title, body } });
}

✓ Good

"use server";

import { z } from "zod";

const schema = z.object({
  title: z.string().min(1).max(200),
  body: z.string().min(1).max(10000),
});

export async function createPost(formData: FormData) {
  const data = schema.parse({
    title: formData.get("title"),
    body: formData.get("body"),
  });
  await db.post.create({ data });
}

How to fix

Validate all formData fields with Zod or a similar schema library inside the server action before using the values.

All rules