I keep seeing it on code reviews. Proxy solid. Auth on every Server Component. Header direction correct.
Then I look at the Server Actions.
No auth check. Not one. The page that renders the button is protected. The action behind the button accepts whatever the caller sends -- any valid session, any resource ID, no ownership verification anywhere.
'use server' doesn't add authentication. It exposes an HTTP endpoint. Anyone with a valid session cookie and a cURL command can call it directly, no UI required.
That's what this post covers.






