Update Section 15.1. An Important Note on Security

[aschweig]

The existing language "You should never return something sensitive from a server function." This text suggests it is impossible to make a server function secure. This commit indicates two necessary steps making a server function appropriate for sensitive data.

This edit is intentionally narrow and minimal. Is there an appropriate link to provide here to expand on the topic?

[gbj]

The intention in this paragraph is to point out that server functions are not code that is running internally in your binary, which cannot be intercepted by the user: it is a network request like any other.

You should not return data that could be used inappropiately by a hostile end user, whether it's over TLS or not. This usually comes up in the context of things like "Oh, I'll just return this struct from a server function" when the struct contains something like a hashed password, or "Oh I store the API keys in an env variable on the server and I'll read that in a server function so I can call the API."

There may be a better way of expressing what this paragraph is trying to express -- to me, the suggested edit might confuse the issue.

Not at all my area of expertise and I'm open to being wrong as always.

[aschweig]

My issue is that this language could be particularly off-putting to PHBs looking into adopt leptos.

Maybe language like the following,

Server functions are public APIs and carry associated risks. Never return sensitive information from a server function unless it's properly secured. At a minimum, server functions should authenticate requests and the framework should employ adequate encryption.

[aschweig]

I'm taking another stab at this:

Server functions are public APIs with inherent risks. Never return sensitive information from a server function unless these risks are addressed. Minimally, server functions should authenticate requests, employ adequate encryption, and ensure that no user can use to API to extract unauthorized data, engage in privilege escalation, or otherwise disable or compromise the service.

[benwis]

Hmm, perhaps "Server functions create a public API endpoint. Do not return information from a server function unless it is public, or you've implemented proper security procedures. These procedures might include authenticating incoming requests, ensuring proper encryption, rate limiting access, and more.

[aschweig]

Hmm, perhaps "Server functions create a public API endpoint. Do not return information from a server function unless it is public, or you've implemented proper security procedures. These procedures might include authenticating incoming requests, ensuring proper encryption, rate limiting access, and more.

I liked this so I updated the PR to reflect this language.

[benwis]

Thank you!