Skip to content

docs(start): add security FAQ #6564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tannerlinsley wants to merge 2 commits into
base: main
Choose a base branch
from
+88 −0
Open

docs(start): add security FAQ #6564

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f7522df
docs(start): add security FAQ
claude Jan 31, 2026
914c1e1
ci: apply automated fixes
autofix-ci[bot] Jan 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/start/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,10 @@
"label": "Authentication",
"to": "framework/react/guide/authentication"
},
{
"label": "Security",
"to": "framework/react/guide/security"
},
{
"label": "Databases",
"to": "framework/react/guide/databases"
Expand Down Expand Up @@ -262,6 +266,10 @@
"label": "Authentication",
"to": "framework/solid/guide/authentication"
},
{
"label": "Security",
"to": "framework/solid/guide/security"
},
{
"label": "Databases",
"to": "framework/solid/guide/databases"
Expand Down
2 changes: 2 additions & 0 deletions docs/start/framework/react/guide/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,6 +361,8 @@ export const resetPasswordFn = createServerFn({ method: 'POST' })

## Security Best Practices

> For a complete overview of TanStack Start's built-in security protections, see the [Security FAQ](./security).

### 1. Password Security

```tsx
Expand Down
2 changes: 2 additions & 0 deletions docs/start/framework/react/guide/middleware.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Middleware allows you to customize the behavior of both server routes like GET/P
- **Error Handling**: Handle errors in a consistent way.
- And many more! The possibilities are up to you!

> TanStack Start includes many security protections automatically. Middleware is where you implement app-specific security like auth checks or CSRF tokens for legacy browsers. See the [Security FAQ](./security).

## Middleware Types

There are two types of middleware: **request middleware** and **server function middleware**.
Expand Down
68 changes: 68 additions & 0 deletions docs/start/framework/react/guide/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
id: security
title: Security FAQ
---

Answers to common security questions about TanStack Start.

## Is TanStack Start secure by default?

Yes. TanStack Start includes built-in protections against common web vulnerabilities:

| Attack Vector | Protection |
| --------------------- | ------------------------------------------------------------------------------------------------------------ |
| CSRF | POST enforcement, custom headers, SameSite cookie support |
| Serialization attacks | Hardened serializer tested against all known CVEs and proactively researched against emerging attack vectors |
| SSRF | Origin derived from `request.url`, not client headers |
| Open redirects | URL sanitization (CR/LF stripping, protocol-relative URL prevention) |
| XSS | CSP nonce support for inline scripts |
| DoS | Payload size limits on requests |

## What's automatic vs what do I need to configure?

**Automatic (zero configuration):**

- POST enforcement for server function mutations
- Custom header requirement (`x-tsr-serverFn`) on server function requests
- Origin validation from `request.url`
- Serialization hardening
- URL sanitization
- Payload size limits

**You configure (app-specific):**

- **SameSite cookie policy** - we provide the option, you choose `'lax'` or `'strict'` based on your app's cross-site requirements
- **Input validation schemas** - we provide `.inputValidator()`, you define what valid data looks like for your domain
- **CSP nonce** - we propagate your nonce to all scripts; you generate and configure it per-request
- **Authentication & authorization** - session management is provided, but auth logic is app-specific
- **Rate limiting** - depends on your infrastructure and traffic patterns

**Optional (if needed):**

- **CSRF tokens** - only needed for legacy browsers that don't support SameSite cookies; implement via middleware if required

We can't make every security decision for you because the right choice depends on your specific application. A banking app needs `sameSite: 'strict'`, while an app with legitimate cross-site embeds might need `'lax'`. Your validation schemas depend on your data model. Auth depends on your user system.

## What about RSC (React Server Components) security?

TanStack Start's server function architecture uses a unidirectional data flow - the server sends data to the client, but the client does not send serialized component payloads back to the server for parsing.

This architecture is not susceptible to the class of RSC vulnerabilities disclosed in late 2025, including:

- [CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) - Remote code execution via RSC payload deserialization
- [CVE-2025-55184](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) - Denial of service
- [CVE-2025-55183](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) - Source code exposure

These vulnerabilities affect frameworks that parse RSC Flight payloads on the server from client requests.

## How should I validate user input?

Use the `.inputValidator()` method on server functions. See [Server Function Validation](./server-functions#validation).

## How do I keep secrets safe?

Use `createServerFn()` or `createServerOnlyFn()` to ensure code only runs on the server. See [Execution Model](./execution-model).

## How do I report a security issue?

Do not open a public GitHub issue. Email security concerns to the maintainers and allow time for a fix before public disclosure.
2 changes: 2 additions & 0 deletions docs/start/framework/react/guide/server-functions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,8 @@ The build process replaces server function implementations with RPC stubs in cli

Server functions accept a single `data` parameter. Since they cross the network boundary, validation ensures type safety and runtime correctness.

> Input validation is one of the security measures you configure per your application's needs. See the [Security FAQ](./security) for what's automatic vs what you configure.

### Basic Parameters

```tsx
Expand Down
6 changes: 6 additions & 0 deletions docs/start/framework/solid/guide/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
id: security
title: Security FAQ
---

See the [Security FAQ](../../react/guide/security.md) - the security architecture is identical for React and Solid.
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use docs-style relative link (drop .md).
Internal docs links should follow the extensionless docs-relative format.

♻️ Proposed fix 
-See the [Security FAQ](../../react/guide/security.md) - the security architecture is identical for React and Solid.
+See the [Security FAQ](../../react/guide/security) - the security architecture is identical for React and Solid.

As per coding guidelines, Use relative links to docs/ folder format (e.g., ./guide/data-loading) for internal documentation references.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
See the [Security FAQ](../../react/guide/security.md) - the security architecture is identical for React and Solid.
See the [Security FAQ](../../react/guide/security) - the security architecture is identical for React and Solid.
🤖 Prompt for AI Agents 
In `@docs/start/framework/solid/guide/security.md` at line 6, Replace the
hardcoded Markdown link '../../react/guide/security.md' with the docs-style
extensionless relative link '../../react/guide/security' in the Solid guide
line; update the link target in the string found in the file content (the
existing '../../react/guide/security.md') to drop the '.md' so it follows the
internal docs-relative format (e.g., './guide/...') used across documentation.

Loading