reactjsasp.net-coresecurityproject-management

Application security practices for frontend and backend


I'm currently working on a website frontend(React js) and backend(Asp.net core). I have been insisting on backend security for the API's. (Role and permission based authorization). The super senior dev keeps insisting on placing authorization on the front-end only.

At the end of the day, It is my decision on what to do with this web app. But is there a good thing on placing all authorization/security on the front-end only? How can I best explain that security should be on both ends of the application?

Thanks in advance.


Solution

  • Authorization MUST be implemented on backend. If the authorization is on the FE only, any user, weather a legitimate or malicious can bypass the authorization mechanism as simply as browsing or sending the request to the relevant path and accessing all the functionality that you were trying to protect.

    Authorization can be placed on FE as well, to enchase the user experience and reduce the network traffic (EG checking password policy on the front end) but you should never trust the front end regarding security!