LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why must access control be implemented on the server side?

Because the client is fully under the attacker's control — they can read the raw API responses and call the API directly, so any access control only enforced in the browser can simply be bypassed.

Client vs server enforcement: the frontend hides the salary column, but the API returns the full JSON; an attacker calling the API directly reads every field, so the check must live on the backend.

* Hiding a field in the frontend is not access control — the API still returns it, so an attacker who calls the API directly reads everything; enforce on the backend. *

Problem: Client-side code can be manipulated!

Architecture flow:

Client (View Logic) → HTTP API → API Server (Business Logic) → SQL Database

What client sees:

First Name | Last Name | Roles
Peter      | Muster    | BACK_OFFICE_ADMIN
Andre      | Hess      | PRODUCT_ENG

What API actually returns (JSON):

{"employeeId": 2276, "firstName": "Peter", "roles": ["EMPLOYEE","BACK_OFFICE_ADMIN"], "salary": 50000}
{"employeeId": 1024, "firstName": "Eliot", "roles": ["BOARD_MEMBER"], "salary": 50000000}

The danger: Even if frontend hides salary, the API returns it! Attacker can:

  1. Inspect network traffic
  2. Call API directly
  3. See ALL data including sensitive fields

Rule: Access control MUST be enforced on the server/backend, never trust the client.

From Quiz: SPRG / Authorization | Updated: Jul 05, 2026