2

With browser's devtools ability to reload edited javascript overrides, how can you "securely" execute validation-dependent front-end code?

Say you want to conditionally display some sort of proprietary UI element(s) (humor me) dependent on an authorized users permissions. The authorized user data would be validated with a promise, but if the conditional is client side based on the returned promise data, couldn't someone just remove that conditional, save as an override and reload the page?

if (permissionGroup == 'Team'){
  return <>{children}</>
}

if (nodeENV !== 'development'){
  checkAuth();
}

Edit and run JS override to return children without running auth checks

if (permissionGroup !== 'anything'){
  return <>{children}</>
}

Any way to prevent this? Am I mis-informed about devtools security? or is the industry-standard understood that, other than data, anything client side is essentially open source?

Improve this question
7
  • Don't make authentication entirely client-side
    – evolutionxbox
    Commented Dec 7, 2022 at 16:46
  • it's always complex to secure from client side, in the real world secure things are made on the backend
    – ggg
    Commented Dec 7, 2022 at 16:48
  • Everyone is aware security lives server side. I'm asking a question specific to client side. 'build a static site' is not a relevant answer to a question regarding SPAs
    – Bryan
    Commented Dec 7, 2022 at 16:55
  • If you are in control of the users browser(s), you can prevent this (kinda). In fact, the company I work for does this very thing. But realistically it is impossible to secure client side resources on the client side. In frameworks like Angular, you can use guards. Even then, a bad actor could circumvent client-side only protected resources.
    – dj11223344
    Commented Dec 7, 2022 at 17:15
  • @dj11223344 thats what I was thinking as well. You could register an encryption key with major browsers (ridiculous) but like you said, at some point I assume the browser would have to decrypt the client side code therefor exposing it. Or like everyone else seems to suggest, just never trust the client side to do anything.
    – Bryan
    Commented Dec 7, 2022 at 17:19

2 Answers 2

Reset to default
1

The answer is, it is simply not possible to securely control dynamically rendered components on the front end, outside of using possibly some sort of encryption service like JSscrambler

The solution is, only render components to the client side, to user that are authorized to access or view the components, who has been authenticated, validated and authorized on the server.

Improve this answer
0

You never ever trust the client, as you mentioned the client can modify the code and override your "security features".

You will need a backend and need to validate the clients input.

Improve this answer
5
  • Forgive me but I'm looking for a little bit more in depth explanation. Everyone knows security is server side responsibility and to not trust the client. There is a reason some technologies are executed on the client side. What I'm asking is, if and how you might execute client side code that depends on secure values, if the requirement is that the client-side conditions must be secure. i.e. conditionally rendering react components in an SPA. Is just then that client side rendering of any kind is not a technical fit for that requirement?
    – Bryan
    Commented Dec 7, 2022 at 17:02
  • You could try to encrypt parts of the code with the user-password combination. But this will get you in other problems. For example, you need redundant code that is encrypted differently for each user-password combination, or what if a user wants to change the password, now you have to encrypt this parts again... Maybe you can provide some usecases and examples how the finished project should look. What parts need to be "secure"?
    – 5t3v0
    Commented Dec 7, 2022 at 17:22
  • Ya agree thats overkill. Definitely would accept the answer of "it is simply not possible to securely control dynamically rendered components on the front end, only render components to the client side that an authenticated user is authorized to access or view." or something about getServerSideProps
    – Bryan
    Commented Dec 7, 2022 at 17:34
  • came across this service Scrambler, interesting but probably unnecessary. jscrambler.com/solutions/javascript-protection
    – Bryan
    Commented Dec 12, 2022 at 16:23
  • Maybe @5t3v0 should be more specific with the answer. There is two main reason why you can't get proper security on client side: 1. There is no 100% working client side encryption or code scrambling. In many cases the scrambled code can be reversed to readable one and the reversed code could be much better readable than the original code. funny isn't it? :) 2. So, if some data or code downloaded to client side it is better to consider it unsafe in all cases because the client can get all the data back with dev tools even if it does not appear on the screen.
    – kepes
    Commented Dec 12, 2022 at 17:32

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.