Skip to content

docs(start): add security FAQ #6564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tannerlinsley wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs(start): add security FAQ #6564

tannerlinsley wants to merge 2 commits into from
+88 −0

Conversation

@tannerlinsley
Copy link
Member

@tannerlinsley tannerlinsley commented Jan 31, 2026
edited by coderabbitai bot
Loading

Concise FAQ answering common security questions:

  • CSRF protection (POST enforcement, custom headers, SameSite cookies)
  • Why Origin header is not trusted (CVE-2024-34351 prevention)
  • Prototype pollution prevention
  • RSC unidirectional flow
  • Links to existing docs for validation, middleware, execution model

Summary by CodeRabbit

  • Documentation
    • Added Security FAQ guides for React and Solid covering built-in protections, CSRF, SSRF, open redirects, XSS, DoS, RSC guidance, input validation, rate limiting, and secret management.
    • Added Security navigation entries and cross-references in authentication, middleware, and server-functions docs to improve discoverability.

✏️ Tip: You can customize this high-level summary in your review settings.

@github-actions github-actions bot added the documentation Everything documentation related label Jan 31, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 31, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds Security FAQ documents for React and Solid, updates navigation to include Security entries, and inserts contextual links to the Security FAQ within several existing React guides. No runtime code changes.

Changes

Cohort / File(s) Summary
Navigation Configuration
docs/start/config.json		 Inserted Security entries for React and Solid guides into the Getting Started navigation.
New Security Guides
docs/start/framework/react/guide/security.md, docs/start/framework/solid/guide/security.md		 Added React Security FAQ covering built-in protections, CSRF, SSRF, open redirects, XSS, DoS, RSC notes, validation, secrets, and guidance; Solid guide references the React doc and notes identical security architecture.
React Guide Inline Links
docs/start/framework/react/guide/authentication.md, docs/start/framework/react/guide/middleware.md, docs/start/framework/react/guide/server-functions.md		 Inserted brief notes/blockquote links pointing readers to the new Security FAQ in authentication, middleware, and server-functions docs.

Sequence Diagram(s)

(removed — documentation-only changes; no multi-component runtime control flow introduced)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • schiller-manuel
  • birkskyum

Poem

🐇 I scurried through the docs at dawn,
Planted Security signs on each lawn.
Notes and FAQs, tidy and bright,
Guide the devs through safe delight.
Hop, secure, and code with light ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'docs(start): add security FAQ' directly and accurately summarizes the primary change—adding a new security FAQ documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch claude/tanstack-security-research-GASeA

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link

nx-cloud bot commented Jan 31, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 914c1e1

Command Status Duration Result
nx affected --targets=test:eslint,test:unit,tes... ✅ Succeeded <1s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 3s View ↗

☁️ Nx Cloud last updated this comment at 2026-01-31 21:43:29 UTC

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 31, 2026
edited
Loading

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/arktype-adapter@6564

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/eslint-plugin-router@6564

@tanstack/history

npm i https://pkg.pr.new/TanStack/router/@tanstack/history@6564

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/nitro-v2-vite-plugin@6564

@tanstack/react-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router@6564

@tanstack/react-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-devtools@6564

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-ssr-query@6564

@tanstack/react-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start@6564

@tanstack/react-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-client@6564

@tanstack/react-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-server@6564

@tanstack/router-cli

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-cli@6564

@tanstack/router-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-core@6564

@tanstack/router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools@6564

@tanstack/router-devtools-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools-core@6564

@tanstack/router-generator

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-generator@6564

@tanstack/router-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-plugin@6564

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-ssr-query-core@6564

@tanstack/router-utils

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-utils@6564

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-vite-plugin@6564

@tanstack/solid-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router@6564

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-devtools@6564

@tanstack/solid-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-ssr-query@6564

@tanstack/solid-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start@6564

@tanstack/solid-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-client@6564

@tanstack/solid-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-server@6564

@tanstack/start-client-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-client-core@6564

@tanstack/start-fn-stubs

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-fn-stubs@6564

@tanstack/start-plugin-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-plugin-core@6564

@tanstack/start-server-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-core@6564

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-static-server-functions@6564

@tanstack/start-storage-context

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-storage-context@6564

@tanstack/valibot-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/valibot-adapter@6564

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/TanStack/router/@tanstack/virtual-file-routes@6564

@tanstack/vue-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-router@6564

@tanstack/vue-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-router-devtools@6564

@tanstack/vue-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-router-ssr-query@6564

@tanstack/vue-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-start@6564

@tanstack/vue-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-start-client@6564

@tanstack/vue-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-start-server@6564

@tanstack/zod-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/zod-adapter@6564

commit: 914c1e1

coderabbitai[bot]
coderabbitai bot reviewed Jan 31, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In `@docs/start/framework/react/guide/security.md`:
- Around line 60-62: Update the absolute docs link for the "Execution Model"
reference to a relative path: replace the Markdown link [Execution
Model](/docs/start/framework/react/guide/execution-model) in security.md with a
relative link (e.g., [Execution Model](./execution-model)) so internal docs use
the ./guide/ style; ensure you edit the "Execution Model" link text in that file
to the relative href.
- Around line 56-58: Update the documentation to use the correct API name
`.inputValidator()` instead of `.validator()` wherever referenced (e.g., the
server function validation examples) and change the absolute docs URL to a
relative link to the server functions validation page (use
`/start/framework/react/server-functions#validation` style relative path).
Ensure both occurrences in this file that mention `.validator()` are replaced
with `.inputValidator()` and their links are converted to the relative form so
the examples and links are accurate and consistent.

@tannerlinsley tannerlinsley force-pushed the claude/tanstack-security-research-GASeA branch 2 times, most recently from db22aed to 9db5e2d Compare January 31, 2026 21:03
@claude
docs(start): add security FAQ
f7522df 
Concise FAQ answering common security questions:
- CSRF protection (POST enforcement, custom headers, SameSite cookies)
- Why Origin header is not trusted (CVE-2024-34351 prevention)
- Prototype pollution prevention
- RSC unidirectional flow
- Links to existing docs for validation, middleware, execution model

https://claude.ai/code/session_01DdkxQsku9t8XigsBPQbx8n
@tannerlinsley tannerlinsley force-pushed the claude/tanstack-security-research-GASeA branch from 0151e63 to f7522df Compare January 31, 2026 21:41
coderabbitai[bot]
coderabbitai bot reviewed Jan 31, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@docs/start/framework/solid/guide/security.md`:
- Line 6: Replace the hardcoded Markdown link '../../react/guide/security.md'
with the docs-style extensionless relative link '../../react/guide/security' in
the Solid guide line; update the link target in the string found in the file
content (the existing '../../react/guide/security.md') to drop the '.md' so it
follows the internal docs-relative format (e.g., './guide/...') used across
documentation.

docs/start/framework/solid/guide/security.md
title: Security FAQ
---

See the [Security FAQ](../../react/guide/security.md) - the security architecture is identical for React and Solid.
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use docs-style relative link (drop .md).
Internal docs links should follow the extensionless docs-relative format.

♻️ Proposed fix 
-See the [Security FAQ](../../react/guide/security.md) - the security architecture is identical for React and Solid.
+See the [Security FAQ](../../react/guide/security) - the security architecture is identical for React and Solid.

As per coding guidelines, Use relative links to docs/ folder format (e.g., ./guide/data-loading) for internal documentation references.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
See the [Security FAQ](../../react/guide/security.md) - the security architecture is identical for React and Solid.
See the [Security FAQ](../../react/guide/security) - the security architecture is identical for React and Solid.
🤖 Prompt for AI Agents 
In `@docs/start/framework/solid/guide/security.md` at line 6, Replace the
hardcoded Markdown link '../../react/guide/security.md' with the docs-style
extensionless relative link '../../react/guide/security' in the Solid guide
line; update the link target in the string found in the file content (the
existing '../../react/guide/security.md') to drop the '.md' so it follows the
internal docs-relative format (e.g., './guide/...') used across documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

documentation Everything documentation related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tannerlinsley @claude