Quiz Entry - updated: 2026.07.14
Describe the three-tier architecture of a web application and the security implications of each tier.
Frontend (untrusted, runs on the user's device) → Backend (the real security boundary) → Database (isolated, no direct external access).
* The trust drops as you move outward: only the backend can be trusted to enforce security, so it guards the isolated database. *
Frontend → Backend → Database, each with different trust levels:
| Tier | Runs On | Security Implication |
|---|---|---|
| Frontend (Client) | User's browser/device | Cannot be trusted — users can modify JS, forge requests, bypass client-side validation |
| Backend (Application) | Your servers | Primary security boundary — must validate all input, enforce authorization, protect against injection |
| Persistence (Data) | Database servers | Must be isolated — no direct external access, encryption at rest, strict access controls |
Key rule: Each tier should only communicate with adjacent tiers — the frontend should never directly access the database.
Go deeper:
Wikipedia — Multitier architecture — the presentation / logic / data tier split and why tiers stay separate.