Server Actions Are Public Endpoints, Treat Them Like It
Every exported Server Action is a callable HTTP endpoint with no auth, no rate limiting, no validation. Here's the hardening checklist we run on every Next.js project.
/Blog
Content about design, technology, and the weird stuff in between.