I have a web app that, upon login, sends the credentials to the server for validation - and returns back, among other things, a dictionary of permissions for different UI components throghout the app - which is used to enable/disable or show/hide these components in the front-end.
This is, of course, not secure at all - anyone opening a browser's developer tools console can change these settings on the fly.
I posed this as a problem to my team, and was asked to propose a solution. I am hence trying to sum up what I could think of, and would be glad if anyone could add alternatives I am not aware of (specially if this is a best-practice or common standard):
- Have the server return the full
htmlthe user is entitled to see. - Use encryption to protect server-client exchanges. The UI would decrypt server responses, and display the data accordingly.
What other alternatives are there for this ?
My stack is server side in C# (implemented as a WCF server) and devextreme for the UI (html + js (with some js libraries such as knockout)).
(this issue happens throughout all the app, in almost all server served data, not only with login authorizations)
Aucun commentaire:
Enregistrer un commentaire