Application security practices for frontend and backend

reactjs security asp.net-core project-management

I'm currently working on a website frontend(React js) and backend(Asp.net core). I have been insisting on backend security for the API's. (Role and permission based authorization). The super senior dev keeps insisting on placing authorization on the front-end only.

At the end of the day, It is my decision on what to do with this web app. But is there a good thing on placing all authorization/security on the front-end only? How can I best explain that security should be on both ends of the application?

Thanks in advance.


Authorization MUST be implemented on backend. If the authorization is on the FE only, any user, weather a legitimate or malicious can bypass the authorization mechanism as simply as browsing or sending the request to the relevant path and accessing all the functionality that you were trying to protect.

Authorization can be placed on FE as well, to enchase the user experience and reduce the network traffic (EG checking password policy on the front end) but you should never trust the front end regarding security!

Related

How to resolve using AsyncStorage (deprecated) warning? Using the community (correct) library
react-native iOS app not showing static/local assets (images) after deploying
Is there a way to use different network connections for different apps
Remove Storage iOS Apps on Mac
Automator choose finder folder and run shell script
How do external storage devices work with the iPad?
Is this possible to improve boot time?
How do I burn a single ( > 7GB) file to multiple DVDs?
Is Snow Leopard Server a good candidate for everyday use as a main OS?
If I set an alarm clock with a ringtone, how long will the ringtone run if I do not stop it?
PostgreSQL in OS X Lion
iPhone Mail, Send only account