Quiz Entry - updated: 2026.07.05
Why must access control be implemented on the server side?
Because the client is fully under the attacker's control — they can read the raw API responses and call the API directly, so any access control only enforced in the browser can simply be bypassed.
* Hiding a field in the frontend is not access control — the API still returns it, so an attacker who calls the API directly reads everything; enforce on the backend. *
Problem: Client-side code can be manipulated!
Architecture flow:
Client (View Logic) → HTTP API → API Server (Business Logic) → SQL Database
What client sees:
First Name | Last Name | Roles
Peter | Muster | BACK_OFFICE_ADMIN
Andre | Hess | PRODUCT_ENG
What API actually returns (JSON):
{"employeeId": 2276, "firstName": "Peter", "roles": ["EMPLOYEE","BACK_OFFICE_ADMIN"], "salary": 50000}
{"employeeId": 1024, "firstName": "Eliot", "roles": ["BOARD_MEMBER"], "salary": 50000000}
The danger: Even if frontend hides salary, the API returns it! Attacker can:
- Inspect network traffic
- Call API directly
- See ALL data including sensitive fields
Rule: Access control MUST be enforced on the server/backend, never trust the client.