← All articles
Security
Basic Client-Side Security Concepts
Client-side code runs on the user’s device. They can read it, modify it, and replay requests. Never put secret keys in frontend code. Never trust the client for authorization decisions — enforce those on the server.
Use HTTPS everywhere. Protect against XSS with proper escaping and content security policy. Keep auth tokens handled carefully. The client is a convenience layer; the server is the authority.