React's most dangerous feature

Подписаться 339 тыс.

Просмотров 57 тыс.

50% 1

It pains me how little people understand "use server". Enough so to trigger a rant. Ugh. Hope this helps. Server components are DIFFERENT, not HARD.
SOURCES
x.com/RhysSull...
trpc.io/blog/t...
x.com/ryanflor...
nextjs.org/blo...
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4se0n3 for the awesome edit 🙏

Опубликовано:

28 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 209

@LadyEmilyNyx 25 дней назад

I'm primarily a backend dev, and so I am always extremely careful about auditing what any external api's do. I did not, however, realise that every "use server" was in effect creating another api. Now if you'll excuse me, I have several codebases to audit. Thanks for the heads up.

@dough-pizza 25 дней назад

I created an auth decorator that calls the underlying action only if the user is authenticated and authorized to use the endpoint. Maybe you could do the same:- export const SomeAction = isAuthenticated("admin", () => { });

@carvierdotdev 23 дня назад

@@dough-pizza could you make a npm package or at least a GitHub repo for just the rest of the population like myself? I think it's useful Sir.

@James-ry3bo 25 дней назад

RSC is such a developer experience disaster. Too much magic and confusion of where your code runs. Having concrete application boundaries is a good thing!

@RhysSullivan 25 дней назад

As of 8/22 the Next team has put out a fix for this issue via tree shaking unused action ids, and I think it’s being backported to v14 There’s a deeper problem imo around the design of having implicit endpoint creation, but it’s nice this specific problem is fixed

@smallmoneybigmoney 25 дней назад

So not worth the "cleanness" of the code IMO. I'd way rather prefer writing some boilerplate to keep things explicit so it's really hard to make mistakes like this.

@ooijaz6063 25 дней назад

@@smallmoneybigmoney So true. I am working full time on java+angular apps which "share endpoints" using OpenAPI. Everything is automatically generated. Works like TRPC, the only difference is that you have to restart your server and client for changes to be present. And we can use OpenAPI in any language we want...

@thethirdrace5107 25 дней назад

Unless they also fixed the source map files, the treeshaking is "useless". The source map files are generated BEFORE the treeshaking, so while the final bundle might not have the code, your source map files WILL have it... Meaning you still expose everything if users have access to source map files.

@MilesFlavel 25 дней назад

I feel like "use server" should have some sort of mandatory access level argument

@monad_tcp 25 дней назад

They basically recreated AspNet WebForms. It only took 15 years and the pendulum came back to server components entangled .

@furycorp 25 дней назад

I know its so funny how its like young CTO's and principal types are rediscovering web development from 15+ years ago. People spend so much time on solved problems as well as pursuing paths that are known to lead to doom and gloom. Every generation of young devs thinks they're the first people to encounter every issue that's new to them and god forbid they bother to check with all the search and LLMs and other tools at our disposal these days

@alecmeyer3614 25 дней назад

100% the truth, they have so many similarities, it’s only flashier here because of React itself.

@cobrasys 21 день назад

I've said this in the comments of a different video, but in webdev, time really is a flat circle. Every decade or so something that was deemed Bad™ comes back as the New Amazing Thing™... except that it's really just the so-called Bad™ thing with a slight twist.

@DarkSwordsman 25 дней назад

How long until NextJS reinvents Express middleware? :) Also, isn't one of the top engineering rules in *any* system to default to a safe or secure mode? Like railroad crossings defaulting to enabled, or door magnets turning off with loss of power? Shouldn't it be defaulting to not exposing your endpoints unless you tell it to?

@dealloc 25 дней назад

One could argue for or against whether it could be considered "security" issue-it depends on the context. The equivalent of this issue is your client includes info about endpoints-either defined manually or through code generation, for example, but are unused. Unless you had some profiling tools that could flag unused endpoints. The counter-intuitive part is that you'd expect the bundler to not include any unused exported actions, just like any other module bundling does tree-shaking. Rhys is just pointing out that it could leak endpoints that you didn't intent in case you thought it was tree-shaked. Vercel fixed this in Next by tree-shaking the unused exported actions as you'd expect. The upside of this is that it's easier to augment unused endpoints through static analysis, compared to a lot of codegen solutions.

@MrManafon 25 дней назад

“Express middleware” IS middleware lol, its a pattern used in all servers, nothing to reinvent. Also, yes, NextJs should totally do that, because the current “middleware” is not actually a middleware at all, at least not in the user space

@MerthanMerter 25 дней назад

next safe actions

@furycorp 25 дней назад

No their goal is to "ship fast" "even before it works" in a goal to lock developers into their ecosystem so they can rationalize how an AWS reseller got a multibillion dollar valuation.

@MerthanMerter 25 дней назад

@@furycorp you cant say there is no effort being put in to this

@PpVolto 25 дней назад

Everyone says controll your Access but everyone falls short of Showing how to do it correctly. My loved example is a Company Blog system, one user writes a Article and sets the state to review and then a other user can change/publish the Article. Not to simple and not to Complex to show every Access Controll you need. The best part is how you design the Article flow changes the AccessControll

@kevin5523 25 дней назад

I dont know if adding export to a function might cause a security issue, we need to start re evaluating if this is the way to go

@SimonHuggins 25 дней назад

Wasn’t the hidden variables in a form to share state an anti-pattern once upon a time? We decided that API calls was the right thing to do because it makes it clear what is intended and designed and you can more easily force security on the back end. This seems like one of those ‘easy now but nightmare to debug and optimize later’ scenarios.

@nordern1 25 дней назад

The mayor problem, I think, is that the abstraction seems specifically build so you don't have to think about the fact that you are writing and calling endpoints. Designing the API to make the server boundary invisible, then saying "silly developer, don't you know there are risks to this free-floating string" is not productive and doesn't help make things more secure.

@SingWithCJ 25 дней назад

Powerful feature but could have been more explicit by annotating every exported endpoint separately instead.

@SirCorrino 25 дней назад

This is one of the reasons I like having a Spring Boot backend instead. It's so easy to have auth on *every* endpoint all controlled in one spot rather than having to remember to secure each one individually. Next.js should have something similar.

@web_dev_cz 25 дней назад

as a Java developer I find the problem and especially the conclusion to be the absolute basics of server development and it is so trivial that I'm quite speechless how did people arrive at this problem...

@psyferinc.3573 10 дней назад

damn the videos in the middle of the flow have started.

@francois-pierrethibault2651 24 дня назад

Next-safe-action library is great for this usecase. Use library Middleware for user permission check

@shaked1233 25 дней назад

Thats why I like zsa, create a server action that does the auth boiler plate, and reuse it with every action, using a 1 liner.

@cobrasys 21 день назад

This video should have been called "Frontend devs slowly realizing that frontend dev isn't fullstack dev".

@codedusting 25 дней назад

When you say endpoint, does that mean we can call server actions from postman or similar tool? How?

@heunha9269 25 дней назад

Yes, server actions are just functions converted to post endpoints but it acts like an rpc call

@codedusting 25 дней назад

@@heunha9269 say I have a use server action in a form at app/dashboard/page.tsx. how can I call it using postman?

@StingSting844 25 дней назад

Why doesn't the bundler expose only the exported functions? Rather than all exported from a file? They still can allow all exports in an endpoint by coming up some other stupid term like "use server; export all"

@collinoly 25 дней назад

So how do you write tests for these functions if you can’t export them? Can you make these private methods of a class and export that?

@---.. 25 дней назад

Same thought I had. You can move the function you want to test to its own file that does not "use server" and test it from there (this was shown in the video), but that's annoying. Ability to test random things without exporting them is one of the things I miss most working in JS/TS compared to Rust.

@collinoly 24 дня назад

Yeah that’s actually one of the benefits of classes. Assuming your using typescript you can mark the method as private but still allow them to be accessible for testing.

@RishavMondal-i1u 21 день назад

When you typing I can see some suggestions words are showing randomly. Do you want to share, what are you using for this?

@aaraz101 25 дней назад

auth check is done at middleware level does so does it protect the endpoints created by use server ?

@limbo3545 25 дней назад

I know why I hate nextJS. The lack of separation of concerns makes me concerned.

@FeFeronkaMetallica 24 дня назад

So none of you did read the docs for next? This was clearly mentioned in there. How is this new?

@fallenpentagon1579 25 дней назад

nextjs is so insecure!!! if you accidentally export a function named "GET" from a file named "route.js" it get exposed as an API endpoint!!! How is anyone supposed to know that!!! HUGE security risk!!!

@salman0ansari 25 дней назад

if you are not protecting an action with auth its your own mistake.

@universebot2363 23 дня назад

I see anything sensitive in /app as a code smell. Private/Internal logic should be seperate from the frontend.

@moonwhisperer4804 25 дней назад

i hate 'use server'; its the stupidest thing ever.

@martinlesko1521 25 дней назад

and what's your alternative then?

@ooijaz6063 25 дней назад

@@martinlesko1521 OpenAPI and real backend with trpc-like feel??

@moonwhisperer4804 25 дней назад

@@martinlesko1521 trpc and client-side components is all you need and far superior. server-side components is like taking a step backward.

@vertas.y 25 дней назад

it's a developers problem not react

@wassafshahzad8618 25 дней назад

it clearly is a react issue. You are adding more and more complexity between the library and the developer. ReactJS went from a library to now having its own compiler.

@surfingbilly9654 25 дней назад

who asked?

@Noam-Bahar 25 дней назад

Aaaaaaaa so many foot guns

@chadgrant8870 14 дней назад

server side react is dumb

@zactron1997 25 дней назад

Inplicitly creating endpoints is the problem. The more things you make implicit in a framework, the greater the opportunity for a nightmare to be created.

@rod6722 24 дня назад

That's why I keep using API routes in NextJS instead of server actions. Less magic going on.

@MaxOut931 20 дней назад

I totally agree! I tend to use the new stuff without fully understanding the implications of it or sometimes even not understanding the implications at all, but just doing it because it makes things easier 😅

@kylemichaelsullivan 25 дней назад

"When you're exposing things with 'use server', you have to assume that th[e] function can be run by anybody. I think a lot of the issue that's happening here is that web developers aren't used to dealing with access control." Great video, as always, but IMHO, this is the TL:DR of this video, and maybe it's worth its own reel/short.

@sulavbaral9972 25 дней назад

True anyone that has implemented similar things in a proper backend environment with API and stuff will realise that it needs to be protected as it's exposed I don't get it why don't people wrap their heads around this aspect when writing server actions

@bl_sonic3288 25 дней назад

@@sulavbaral9972 These are frontend devs we are talking about. They don't worry about user input, that's backend guys' problem.

@magne6049 25 дней назад

*frontend developers

@aberba 25 дней назад

@@sulavbaral9972 because it's not immediately obvious is basically an HTTP route. That important details isn't well communicated.

@martybando1668 25 дней назад

@@kylemichaelsullivan Bingo

@RoyaltyInTraining. 25 дней назад

JS devs seem so odd to me sometimes. They berate people for using HTMX cause it breaks separation of concerns, but then they just blatantly throw server side code into their client side files?

@yashkhambhatta9536 25 дней назад

Theo the type of guy to explain a problem for 10 minutes only to be like : " yeah so we ARENT gonna talk about this actually, this is completely different"

@steverude 25 дней назад

Maybe they should invent an HTTP header for Authorization. They mustn’t have thought about it…

@NubeBuster 24 дня назад

But what if one endpoint is supposed to be public and the internal function not?

@echobucket 25 дней назад

NextJS suffers from the same thing most large web frameworks do. Complexity. In an effort to make things "easier" they've actually made it very complex. So much so that people often do incorrect things because they don't really understand the complexity.

@3ventic 25 дней назад

25:15 if code review is your only line of defence against something, you're not well defended against it, because for a ton of people it's "just a job" and they don't care to fully understand every detail in changes they review; mistakes and oversights are a big reason for security breaches.

@3ventic 25 дней назад

Part of the issue here is overloading the export keyword to mean two different things: to create an endpoint and to allow it to be called from other modules. I feel like it's an unnecessary footgun in the design.

@BobKane-g6x 25 дней назад

I don't know, man; it looks leakier than my 43-year-old toilet in my apartment. There's no way every developer can keep up with every exposed point.

@MrManafon 25 дней назад

True - which is why it is our job as development leads to create a system in which developers are less likely to make these mistakes, through code organization and composition - as we do in any other backend framework…

@memeteamdreamteam3990 25 дней назад

React keeps making various forms of useEffect footguns lol

@theairaccumulator7144 25 дней назад

React itself is a footgun

@lidinzx 25 дней назад

I kind of understand the use of "use server", but is kind of complex to maintaining as the app keeps growing, I prefer a separated backend, and not doing sql querys inside the actions, instead calling my backend that needs authorization that don't care about the exposes endpoints on nextjs, that way, I don't have to worry about those security issues that next js has.

@rob6129 25 дней назад

Its not a security issue its a skill issue

@collinoly 25 дней назад

@@rob6129 most security issues are skill issues. Memory leak in a C code base, skill issue. Still a security issue.

@bennythetiger6052 25 дней назад

@@rob6129the issue is actually the fact that this kind of thing should've never come into existence in the first place. Security issues arise from either software problems or, more commonly, anthropic effects. In this, like in many other cases, it's people trying to cut corners and take shortcuts when they really shouldn't.

@ooijaz6063 25 дней назад

@@rob6129 It's called the "separation of concers". And it's the simplest form of it. There is one thing that is sure - human error will occur. We want to minimalize the chance for it as much as we can. Have everyone forgot OpenAPI? You can generate trpc-like endpoints from nearly any backend language without much hussle...

@MrManafon 25 дней назад

server actions are literally “separated backend api calls”, you are missing the point

@iftyislam6761 25 дней назад

Frontend and backend should be seperate. Why every frontend framwork pushing fullstack?

@theairaccumulator7144 25 дней назад

Because it's more convenient but convenience is the bane of cleanliness, efficiency, security and basically everything else other than development speed. People care more about putting out garbage quickly than putting out good stuff slowly.

@kisaragi-hiu 25 дней назад

19:00 less "unintuitive" and more "why is this not the first line in the docs". "'use server' turns the function (or in the top level, all exported functions in the file) into supercharged endpoints" or something like that.

@cloynelson2974 25 дней назад

This. Documentation should be like a user manual to a dishwasher, where on the top there are all the dangers listed, and not a novel, where you gotta read it all before you get it.

@FeFeronkaMetallica 24 дня назад

It is there in the docs

@prozacgod 25 дней назад

I think in your example requiring an auth check is an anti-pattern type suggestion, as in the case of your function "donotuse" etc.. you already believe its not going to become an endpoint, so... you won't be putting auth checks in there. I suspect the best possible standard is "user server" per function, I would probably just make that the standard on a team if it were a nextjs project .

@aberba 25 дней назад

Why is communication around Server Actions not making it immediately obvious that's it's basically an HTTP route. That important details would have prevented this very issue of unprotected routes.

@bosung90 25 дней назад

In our team, we always end our filename with .server for server run code. For example, actions.server.ts

@rivomananamandaniaina5193 24 дня назад

actions are basically running on server, aren't they? if not, they are just js/ts functions..

@MrHopp24 25 дней назад

Yeah it completely abstracts away the explicit calls to and from the server , obviously it’s a foot gun . Convenient at what cost?

@khaled_osman 25 дней назад

separation of concerns went from html and css in js, to backend in frontend really quick. what a mess.

@BellCube 25 дней назад

I think the big concern is the very, very, very low barrier to error and the kinda unintuitive behavior of "use server" not currently being tree-shaken (only create endpoints for used routes on a page) meaning it's very easy to create the problem and, honestly, not easy to check unless you already know about the quirk. Code review is great but it assumes everyone understands the "make it all an endpoint" behavior, which I wouldn't consider intuitive.

@NotherPleb 25 дней назад

The solution can't be "audit and code review", the security of actions is way too fragile. Relying on people doesn't scale, sometime somewhere they will fail for whatever reason, and you will wish you had a compiler or linter telling "are you sure is this what you want?"

@thegrumpydeveloper 25 дней назад

Should be “use api” or should have been a decorator or function wrapper or just have an api prefix apiDoSomething.

@Fuzbo_ 25 дней назад

Honestly might make a simple ESLint plugin to require a comment like “// safe-public-endpoint” (or something to that effect) on all exports of a “use server” marked file to at least make the developer acknowledge that this is an endpoint and is safe if hit directly. Obviously not robust, but I’d rather rely on automated CI checks to flag issues than code review.

@duven60 25 дней назад

I like that idea, make it part of the jsDocs or something so it shows up in the intelligence anywhere the function gets used

@abcdmku1 25 дней назад

relying on a code review for security aint it

@dyto2287 25 дней назад

Congrats, JS is more insecure than PHP.

@MrManafon 25 дней назад

php is not insecure lol reddit reader spotted

@XxZeldaxXXxLinkxX 25 дней назад

@@MrManafon Tell me you have no cyber sec experience without telling me you have no cyber sec experience

@fallenpentagon1579 25 дней назад

php isn't insecure. Neither is JS. The problem is always bad developers. You have plenty of those in both communities.

@dyto2287 25 дней назад

@@fallenpentagon1579 Poorly designed language and frameworks lead to devs making more insecure software. Crap tools = crap software.

@XxZeldaxXXxLinkxX 25 дней назад

@@fallenpentagon1579 You think only bad developers make mistakes? _Every_ developer makes mistakes. The more robust the language, the more safety nets there are to help catch those mistakes. But these languages are also made by humans, so every language can be considered insecure to some extent. But, on the spectrum of languages, I definitely wouldn't put php on the "secure" side

@prozacgod 25 дней назад

IMHO - Your GraphQL issue is only there because of the use of the schema dsl, I've always used the programatic api's and composed PER role graphs, they all run on the same ctx, but the graphs actually omit entire branches based on permissions.

@sulavbaral9972 25 дней назад

I mean if you dont have proper checks in api also it will have this same problem?

@MrManafon 25 дней назад

yeah, folks really don’t understand that its just an api, and issues have to be solved through code composition and organization, not by nextjs placing fake guardrails. Same thing happened back when react couldn’t explain to people what dtos are, and ended up implementing a crappy field level sccess control mechanism 😂

@sulavbaral9972 25 дней назад

@@MrManafon people don't even understand how to have proper access control and then complain saying it's an issue lmao

@MrHopp24 25 дней назад

“The delete button can own its behavior” somewhere Carson Gross just took his seventh shot of whiskey

@kassios 25 дней назад

I think Next.js tries to be too clever for it's own good and might drug Server Side React down with it. Too much abstraction and complexity, bad development experience (hard to trace errors, buggy hot reloading, memory hog server). You switch back to a Vite project and everything is light/fast and crystal clear.

@MrJfergs 25 дней назад

Colocation is all good until, you realize the implicit nature of use server is a leaky abstraction.

@andreichicu2799 3 дня назад

it would look better imo if the use server functions would explicitly receive as arguments the variables used from the ui context, so whoever looks at the code knows at a glance what inputs are generated and what is sent

@matiascova 25 дней назад

I love your content. Since the twitter drama with yacine, you seem too preocupied with not being perceived as a shill, so your content seems targeted as cleansing your reputation (I love elixir, I am a serious programmer, etc.). Just be yourself, and focus on cool/useful content, nobody cares about purist, and everyone is tired with yacine's antics anyway.

@LeonBlade 24 дня назад

Why is this video edited so weirdly? It jumps ahead then goes backwards to explain code that was existing.

@rns10 25 дней назад

So if there is a unintentionally exposed function which does some heavy processing like data sync, calculations, or an AI generated response of text/image. Someone could abuse it to call it directly where dev didnt think of implementing a check. Because they implemented a check on the original endpoint and not here. Can it happen ?

@12crenshaw 25 дней назад

Oh shit. We've came a full circle. A frontend framework templating a server xddd oh god. Js environment is a wacky one

@fronix5060 25 дней назад

Vercel might wanna add some type of "use this function to verify all use server"-functions. Instead of having to aduit all this shit and figure out every little possible leak that might happen...

@LuicMarin 24 дня назад

If you read the documentation for Next.js they actually have a part that says that all server actions should be treated as public API endpoints and protected. So who's fault is it then ?

@redders6600 24 дня назад

Well this was confusing! I think your editor f**ked up. Watch from 6min to 11min.

@cloudsss83 24 дня назад

Maybe Vercel should change that decorator to something else, like "as endpoint" instead of "use server"...

@DellmantHD 25 дней назад

Would using `next safe action` with middleware that checks for auth of some kind fix the problem?

@MaxOut931 20 дней назад

Why is your Arc logo so beautifully shiny ✨ unicorny 🦄 looking? Like if if it was kissed by a fairy 🧚 I want this too!

@alexandertarasenko3038 5 дней назад

If you have to dig into how internals of a framework work doesn’t it mean there’s smth wrong with it?

@dovonun 25 дней назад

Ohh no, someone could hit my laravel controller with a post. If I do not check if they are allowed to, they could do something bad 🤯

@WojtekPoroslo 24 дня назад

react is way past maturity and deep into senescence - and we still allow it to run the show while it should just get off stage and stop. it's confused and confusing everybody else

@incarnateTheGreat 21 день назад

The more and more I watch videos about Next, the better I feel that I switched to Remix from using Next.

@rixis2940 22 дня назад

This video is a good example for FE devs to learn and understand API gotchas.

@DevinMakhulo 24 дня назад

My understanding is that "server only" directive is a safety catch for any trouble "use server" could cause.

@AngelEduardoLopezZambrano 25 дней назад

MFW people don’t use middleware to secure all their routes

@hello19286 25 дней назад

MFW people use cookies which are ass to validate in middleware due to how poorly designed middleware's "edge" runtime is.

@furycorp 25 дней назад

@@hello19286 MFW people convinced they need globally distributed "serverless" "edge" functions for apps that will never have a lot of users nor a global audience and so they make sweeping compromises on security, architecture, and design decisions to meet this set of requirements that they don't have nor ever will

@lipemenezes23 25 дней назад

I always prefer to spend more time writing explicit actions and routes with clear access control.

@includenull 25 дней назад

That was a convoluted way to say frontend devs have skill issues 😅

@duven60 25 дней назад

If by "skill issues" you mean: a completely different specialty and foisting this on them was always going to end in tears

@moosegoose1282 25 дней назад

theo go over why csrf token is useless on modern browseers

@n1rus 24 дня назад

What do we do. Make it as bad practice and write eslint rule for newbie’s?

@cloynelson2974 25 дней назад

BTW, given you're an insider of Versel, in-depth explanations like this would be so much more appreciated than drama or clickbaits

@_crystaleyes1922 15 дней назад

it's too hard

@metalbroga 24 дня назад

A middleware that checks the auth user, would solve the issue??

@zacclifton5479 25 дней назад

Is there an ESLint or prettier plugin that you can use to lint for this?

@captainlennysub 25 дней назад

0:13 Tons of Damage!

@sahilpanigrahi6163 25 дней назад

😂

@vivsh.1999 24 дня назад

oh boy

@muhammadalifdanielbinmohdh3188 24 дня назад

You’re all probably expect me

@potors 23 дня назад

both are terrible decisions

@SeanCassiere 25 дней назад

Just don't use top-level "use-server". Do yourself a favour and understand that each function with the "use server" pragma creates an endpoint. From there, opt in as you see fit.

@rijkvanwel 25 дней назад

Can we all agree that “use server” is just a terrible name 🤦‍♂️

@Jdinrbfidndifofkdndjoflfndjdk 25 дней назад

dude! Remix is def way more safe, faster and straightforward

@CodingEnjoyer 25 дней назад

Just use next safe actions and your problem is solved

@dytra_io 25 дней назад

should've use the keyword "expose server" instead of "use server"

@harshitgupta2803 25 дней назад

too bad that the code for getProfileDTO gets executed and db call is made even though the canSee attribute is false. as a backend dev we validate authorisation before any IO or operations.

@harshitgupta2803 25 дней назад

i take that back. i see i commented too fast. this is not authorization but rather obfuscation.

@dodyprass 25 дней назад

The only real solution 23:22

@Magnom365 25 дней назад

This is the way

@azizsafudin 25 дней назад

This is worse than PHP, officially.

@mdazimbabu5001 21 день назад

Why to use server isn’t it already on server side rendering ?

@sayemprodhanananta144 25 дней назад

Just imagine doing all this bs to avoid PHP

@gotxe 22 дня назад

React doesn't have this "feature".

@cloynelson2974 25 дней назад

Btw, what's with the namings? "endpoint-exports" would be a bit more descriptive than "actions". Less marketable, but a bit more self-explanatory.

@brennan123 25 дней назад

Seems like a good use case for a higher order function that wraps the function with auth. Not sure if that is going to make the TS type definitions a bit unwieldy though. Very mixed feelings about this. I can see the arguments both ways. Leaning towards breaking widely held assumptions and making it insecure by default is a "bad thing" though. IFF the dev knows this, it is fine. But how many are actually going to know it is exposed?