It has to do with the size of the attack surface. in order for things to be client side driven gui elements need to be loaded for different role types. Those elements are often exposed If not directly then by showing which APIs are used to Authorize access to admin areas. That’s the whole point of rendering on the client. To load some Little div you might have an API call that when access by different role types will respond differently. With Server side rendering you never see the different API points for each role type As they get their own.
Why would the elements HAVE to be loaded for different roles? You're talking as if every single client-side app approaches authorization and authentication the same way and that's just not true.
There's no attack surface here at all, the only issue with most client-side apps and interaction with server comes from CORS and devs copypasting solutions from SO to get rid of the warning, thus creating the attack surface.
The choices related to displaying appropriate elements based on current user's role that's tied to entire logic of the app has literally zero to do with security.
Because the whole point of client, side rendering is to not have session management on the server side so that it uses less bandwidth on the server provider.. that’s why you have JWTs and stuff like that.
Architecturally when you have a session management system, where state is able to be maintained per user usually up by the same thread on the same physical server. that’s going to be more secure than a horizontally structured infinitely scalable system. But there’s always trade-off between security and usability/performance
> Because the whole point of client, side rendering is to not have session management on the server side so that it uses less bandwidth on the server provider
No, the whole point of client-side rendering is to apply parasitic computing and offload the server by having the client perform work it can thus saving the bandwith and compute power.
Next benefit is application that's "snappy" and works well, which is what almost never happens sadly.
> that’s why you have JWTs and stuff like that.
No, you don't have JWT and "stuff like that" because of this. JWT is for offloading databases so you don't have to talk to a DB on every request since you can verify the token via signature check and thus implement distributed services that don't have to talk to central authority to authorize a request.
> where state is able to be maintained per user usually up by the same thread on the same physical server
And now you're trying to sound smart by adding servers and "threads". I've a feeling you're pulling my leg right now so I'll excuse myself since you started spouting absolute nonsense.
What are you talking about? It’s well-known that Apache has a philosophy that every connection should be serviced by its own thread, whereas NGINX is an event driven architecture which means you have a thread-pool: think of it this way it’s like having the same dedicated waiter at a restaurant versus having the first available waiter come service your table or refill your drink, even if that waiter is different each time.
Concerning JWT, I think we were talking past each other as I was referring to a session-less Authentication scheme, which is more or less what you describe.
Finally, there’s no reason why the server can’t render JavaScript as well other parts of the page. In effect, if the server wanted to, it could render of a reactive version or an angular version depending on a variable. Can the client do that?