LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What does it mean that JavaScript is executed "client-side", and why does that matter for security?

Client-side means the server sends the code but the user's browser runs it — so it is fast and visible, but never trustworthy.

When a page loads, the web server delivers the JavaScript as plain text along with the HTML, but the actual execution happens on the visitor's machine inside their browser (the "client"). Understanding where the code runs explains both its powers and its limits:

  • No load on the server — the user's own computer does the work.
  • Access to the page — the script can read and change the HTML document the user is looking at.
  • The code is fully visible — anyone can choose "View Source" or open dev tools and read every line. There are no secrets in client-side JS.
  • The server can't verify what ran — it has no way to know whether the script actually executed, or whether the user tampered with it.
  • Sandboxed — for safety the browser confines scripts to a limited area ("sandbox"); a normal web script cannot read or write files on the user's disk.

The security lesson follows directly: never rely on client-side validation alone. A login check or password rule written only in JavaScript is worthless, because the user can disable, edit, or bypass the script. Use client-side checks for instant, friendly feedback, but always re-validate everything on the server, which the user cannot touch.

From Quiz: WEBT / Introduction to JavaScript | Updated: Jun 20, 2026