Quiz Entry - updated: 2026.07.14
What are the implementation best practices for access control?
Five implementation principles: enforce on every request, least privilege, invalidate tokens on logout, take roles only from trusted server-side info, and enforce on the backend.
| Principle | Implementation | Common mistake |
|---|---|---|
| Enforce every request | Middleware/interceptor checks on ALL API calls | Assuming frontend already checked |
| Least privilege | Start with zero permissions, add only what's needed | Granting admin "temporarily" |
| Token invalidation | Destroy server-side session on logout, blacklist JWTs | Only deleting client-side cookie |
| Trusted info only | Look up roles from session/DB, never from request | Using role from URL parameter or form |
| Backend enforcement | Server-side checks mandatory; frontend is UX only | Hiding buttons but not checking API |
Tip: Think of frontend authorization as a locked glass door — it stops honest users but attackers can see through and break through it. Backend authorization is the vault.