What are "encrypted closures" in Next.js and how do they work?

Question

Learn Next.js mentions "encrypted closures" as an important security mechanism as part of Server Actions, where some of your Next.js app runs on the server instead of in client-side JavaScript.

I know what a closure is and I know what encryption is. However, I have no idea (and can't find any resources about) what "encrypted closures" are. Does anyone know:

1. How they work
2. What attacks they prevent
3. What situations they are most useful?

I searched google, bing, and ChatGPT for information but couldn't find anything.

Answer 1

Defining a Server Action (the closure) inside a (client-side) component means that any captured variables are sent to the client on page load and then back to the server when the action is invoked. These captured variables may contain sensitive information, so Next.js automatically encrypts them so that the client can't read them.