Web Foundations & Databases · beginner · ~11 min
Trace a page load and separate frontend from backend responsibilities.
The web is request/response over HTTP between a browser (frontend: HTML/CSS/JS, user-controlled) and a server (backend: logic, auth, DB). Because the frontend is attacker-controlled, every security decision must be enforced on the backend.
The frontend/backend trust line is the root of most web vulnerabilities: hidden buttons, disabled fields, and client-side validation are bypassed by crafting requests directly. Recognising what's enforced where is the core web-pentest instinct.
Request/response. Method + URL + headers + body each way. Frontend. HTML/CSS/JS in the browser — fully user-controlled. Backend. Server logic the user never sees. Trust line. Security must be enforced server-side; client checks are UX only.
A web app is a conversation between a client (browser) and a server, carried over HTTP.
Because the frontend is attacker-controlled, no security decision can live there. JavaScript that "disables" a button, hides an admin link, or validates a form is a UX nicety, not a control — an attacker simply crafts the request directly (with curl, Burp, or devtools). Every check that matters must be re-done on the backend. This single idea underlies a huge fraction of web vulnerabilities.
Web apps are HTTP conversations between a user-controlled browser and a trusted server. The frontend cannot enforce security, so every meaningful check belongs on the backend — the principle behind most web bug classes.