|
|
|
|
|
|
by oldprogrammer2
1014 days ago
|
|
|
My experience aligns with your intuition. I would go further, though, and suggest that the rise of SPA itself has exacerbated this problem (Rest or GraphQL). Unless a company has detailed security reviews, it’s very easy for client side developers to reach for an endpoint that exposes more data than they need. Because they don’t explicitly use some of that data, they forget they have exposed it. This is certainly a protection that we’ve lost as we moved away from server rendered architecture, where no APIs are exposed and only explicitly needed data is sent to the client. Not passing judgment, but there is a higher risk profile in multiple ways for a SPA. |
|
|
Especially when you have technologies like Firebase or something like that where you might be interacting with the database essentially from your front end code.
That can end up leaving a big gap between what you are visually exposing and what you’re actually exposing.