HIGHSecuritysmallNext.js + Supabase Standards

Validate all server action inputs at the boundary

Server actions are public HTTP endpoints. Validate all inputs with Zod or similar before any database operation.

Why This Matters

Without validation, malformed or malicious input can cause SQL errors, data corruption, or injection attacks.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

Server actions can be called by anyone — they're public HTTP endpoints. Never trust the input.

Good

import { z } from "zod"
 
const CreateRuleSchema = z.object({
  title: z.string().min(1).max(200),
  category: z.enum(["security", "performance", "architecture", "quality"]),
  impact: z.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
})
 
export async function createRule(input: unknown) {
  const { orgId } = await requireAuth()
  const data = CreateRuleSchema.parse(input)
  // ... safe to use data
}

Validate all server action inputs at the boundary

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good