add new serialization section

Author: atilafassina

src/routes/solid-start/advanced/data.json

@@ -5,6 +5,7 @@
 		"session.mdx",
 		"request-events.mdx",
 		"return-responses.mdx",
+		"serialization.mdx",
 		"auth.mdx",
 		"websocket.mdx"
 	]

src/routes/solid-start/advanced/serialization.mdx

@@ -0,0 +1,78 @@
+---
+title: Serialization
+use_cases: >-
+  server function payloads, data transfer, csp, security, performance
+tags:
+  - serialization
+  - server-functions
+  - csp
+  - security
+  - performance
+version: "1.0"
+description: >-
+  Understand how SolidStart serializes server function payloads, supported
+  types, and CSP tradeoffs.
+---
+
+SolidStart serializes server function arguments and return values so they can travel between server and client. It uses Seroval under the hood and streams payloads to keep responses responsive.
+
+## Configuration
+
+Configure serialization in your `app.config.ts` with `defineConfig`:
+
+```tsx tab title="v1"
+import { defineConfig } from "@solidjs/start/config";
+
+export default defineConfig({
+	serialization: {
+		mode: "js",
+	},
+});
+```
+
+```tsx tab title="v2"
+import { defineConfig } from "vite";
+import { solidStart } from "@solidjs/start";
+
+export default defineConfig({
+	plugins: [
+		solidStart({
+			serialization: {
+				mode: "json",
+			},
+		}),
+	],
+});
+```
+
+See the full config reference in [`defineConfig`](/solid-start/reference/config/define-config#serialization).
+
+## Modes
+
+- `json`: Uses `JSON.parse` on the client. Best for strict CSP because it avoids `eval`. Payloads can be slightly larger.
+- `js`: Uses Seroval's JS serializer for smaller payloads and better performance, but it requires `unsafe-eval` in CSP.
+
+:::caution[v2 Breaking Change: Defaults]
+SolidStart v1 defaults to `js` for backwards compatibility. SolidStart v2 defaults to `json` for CSP compatibility.
+:::
+
+## Supported types (default)
+
+SolidStart enables Seroval plus a default set of web platform plugins. These plugins add support for:
+
+- `AbortSignal`, `CustomEvent`, `DOMException`, `Event`
+- `FormData`, `Headers`, `ReadableStream`
+- `Request`, `Response`
+- `URL`, `URLSearchParams`
+
+Seroval supports additional value types. The compatibility list is broader than what SolidStart enables by default, so treat it as a superset. See the [Seroval compatibility docs](https://github.com/lxsmnsyc/seroval/blob/main/docs/COMPATIBILITY.md).
+
+## Limits and exclusions
+
+- `RegExp` is disabled by default.
+- JSON mode enforces a maximum serialization depth of 64. If you exceed this, flatten the structure or return a simpler payload.
+
+## Related guidance
+
+- Configure modes and defaults in [`defineConfig`](/solid-start/reference/config/define-config#serialization).
+- CSP implications and nonce examples live in the [Security guide](/solid-start/guides/security#content-security-policy-csp).

src/routes/solid-start/guides/security.mdx

@@ -11,7 +11,7 @@ tags:
   - csp
   - middleware
   - protection
-version: '1.0'
+version: "1.0"
 description: >-
   Secure your SolidStart apps against XSS, CSRF attacks. Configure CSP headers,
   CORS policies, and implement security best practices.
@@ -38,7 +38,7 @@ It is highly recommended to read the [Cross Site Scripting Prevention Cheat Shee
 
 To configure the `Content-Security-Policy` HTTP header, a [middleware](/solid-start/advanced/middleware) can be used.
 
-If you enforce a strict CSP, configure SolidStart to use JSON serialization mode to avoid `unsafe-eval` requirements. See [defineConfig serialization](/solid-start/reference/config/define-config#serialization). Note that `'unsafe-eval'` is only required when using `serialization.mode: "js"`, and the nonce-based CSP example below assumes this mode.
+If you enforce a strict CSP, configure SolidStart to use JSON serialization mode to avoid `unsafe-eval` requirements. See [defineConfig serialization](/solid-start/reference/config/define-config#serialization). Note that `unsafe-eval` is only required for `serialization.mode: "js"`.
 
 ### With nonce (recommended)
 
@@ -62,7 +62,7 @@ export default createMiddleware({
 
 		const csp = `
       default-src 'self';
-      script-src 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval';
+      script-src 'nonce-${nonce}' 'strict-dynamic';
       object-src 'none';
       base-uri 'none';
       frame-ancestors 'none';

src/routes/solid-start/reference/config/define-config.mdx

@@ -81,7 +81,16 @@ export default defineConfig({
 - SolidStart v1 defaults to `js` for backwards compatibility.
 - SolidStart v2 defaults to `json` for CSP compatibility.
 
-Seroval defines the supported value types and edge cases. See the full list in the [Seroval compatibility docs](https://github.com/lxsmnsyc/seroval/blob/main/docs/COMPATIBILITY.md).
+### Supported types (default)
+
+SolidStart enables Seroval plus a default set of web platform plugins. These plugins add support for:
+
+- `AbortSignal`, `CustomEvent`, `DOMException`, `Event`
+- `FormData`, `Headers`, `ReadableStream`
+- `Request`, `Response`
+- `URL`, `URLSearchParams`
+
+Seroval supports additional value types. The compatibility list is broader than what SolidStart enables by default, so treat it as a superset. See the full list in the [Seroval compatibility docs](https://github.com/lxsmnsyc/seroval/blob/main/docs/COMPATIBILITY.md).
 
 ## Configuring Nitro
 

src/routes/solid-start/reference/server/use-server.mdx

@@ -98,7 +98,7 @@ The data for the redirected page is fetched and streamed to the client in the sa
 ## Serialization
 
 Server functions allow the serialization of many different data types in the response, using the Seroval serializer.
-The full list is available [in Seroval's source code](https://github.com/lxsmnsyc/seroval/blob/main/docs/compatibility.md#supported-types).
+For supported types, defaults, and CSP tradeoffs, see the [Serialization guide](/solid-start/advanced/serialization).
 Configure serialization mode and CSP behavior in [`defineConfig`](/solid-start/reference/config/define-config#serialization).
 
 ## Meta information