From 73069af46e881ae2a4a5aa129f827f8c07259c57 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 1 Jan 2026 05:15:06 +0000 Subject: [PATCH] Clarify RSC security: no server-side flight parsing, no server functions Expand the security considerations section to explain that TanStack Start's RSC model doesn't send or parse flight data on the server (it flows one-way from server to client), and that React Server Functions aren't supported, meaning recent React security advisories don't apply to our architecture. --- src/blog/composite-components.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/blog/composite-components.md b/src/blog/composite-components.md index d152c967..a82bb2c7 100644 --- a/src/blog/composite-components.md +++ b/src/blog/composite-components.md @@ -342,7 +342,11 @@ Not currently. Server functions that return UI must wrap it in `createServerComp ### Any security considerations? -RSC endpoints accept and emit serialized payloads, so treat them like any API surface: authenticate requests, validate inputs, and keep React patched. Recent React advisories have touched RSC and server function serialization, so staying current matters. +TanStack Start's RSC model has a fundamentally different security surface than other RSC implementations. **We don't send flight data to the server, nor do we parse it there.** Flight payloads flow one direction: from server to client. The server produces RSC streams; the client consumes them. + +Additionally, **TanStack Start does not support React Server Functions** (the `'use server'` directive that creates server-callable endpoints from client code). Recent React security advisories around RSC and server function serialization specifically target vulnerabilities in parsing untrusted flight data on the server and in server function argument handling—neither of which apply to TanStack Start's architecture. + +That said, treat your server functions like any API surface: authenticate requests, validate inputs, and keep React patched. ---