Server actions are an elegant way to handle simple functions for common actions like form submissions, but they're a public API so you still need to consider security.

Arcjet

Server actions simplify handling user actions in Next.js by automatically generating POST requests. Despite their simplicity, they pose security risks as all server actions are public HTTP endpoints. To secure them, developers should treat them like traditional APIs, ensuring proper authentication and validation. Next.js's new non-deterministic ID references and experimental settings aid in protection, but additional measures such as input validation and tools like Arcjet for rate limiting and protection against attacks are recommended.

Next.js server action security