react-doctor/tanstack-start-get-mutation
Use `createServerFn({ method: 'POST' })` for data modifications — GET requests can be triggered by prefetching and are vulnerable to CSRF
- Category: Security
- Severity: warn
- Source:
oxlint-plugin-react-doctor - Framework: tanstack-start
- Enabled when: framework=tanstack-start and capabilities=tanstack-start
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Fires on a createServerFn().handler(fn) chain whose method option is missing or not POST/PUT/DELETE/PATCH, when the handler body contains a detected side effect — mutating array/Map operations, assignments to outer bindings, or calls in MUTATION_METHOD_NAMES like create/update/delete. False positive: locally-scoped Headers/FormData/Map mutations are already excluded, but novel mutation aliases can still slip through.
Fix prompt
Use this once validation confirms the diagnostic is real.
Pass { method: 'POST' } (or PUT/DELETE/PATCH) to createServerFn: createServerFn({ method: 'POST' }).handler(fn). GET server functions are eligible for router prefetching on link hover, so any side effect can fire from a CSRF probe or accidental preload. See https://tanstack.com/start/latest/docs/framework/react/server-functions
Related rules
More Security rules from the rules reference:
react-doctor/tanstack-start-no-secrets-in-loader: Loaders are isomorphic (run on both server and client). Wrap secret access in `createServerFn()` so it stays server-onlyreact-doctor/tenant-static-proxy-risk: Building an asset path from a client-supplied tenant, subdomain, or workspace value lets one tenant read another tenant's files.react-doctor/untrusted-redirect-following: Following a redirect from a request-supplied URL without re-validating each hop lets an attacker bounce your server into internal addresses (server-side request forgery).react-doctor/url-prefilled-privileged-action: Reading a privileged action from the URL (invite, role, permission, redirect, sharing) and acting on it lets an attacker craft a link that performs that action for a victim.react-doctor/webhook-signature-risk: An inbound webhook handler that acts on the request body without verifying the provider's signature will process forged requests from anyone.