Client-side security boils down to one simple rule: Never trust the client
Client-side security boils down to one simple rule:
Never trust the client.
Assume the user will:
- Manipulate the URL
- Call endpoints directly with customized payloads
- Change browser storage values
So, don’t trust the client. Validate requests on the server.
This means client-side validation is merely a nice add on for improving the user experience. It provides zero security.
This means hiding an “admin only” button or link is merely a user experience tweak. The user may still try to send the request.
So, the server must validate.