Good day, stack flocker, I write the application, and thought about the logic, now I do this:

1) I pull data from the database on the server (for example, photos that are divided into albums)

2) Save all photos to an array

3) When you click on a particular album, I transfer all the photos and album id to the angular method

4) I make a selection of photos with the desired albumId and return to the array.

Can you please tell us how it would be more correct to execute these and similar actions in terms of logic and security, on the client side, or do it all on the server side?

Thanks in advance for your answers!

  • What kind of security are we talking about? How are the photos stored on the server and are there any privileges for users to view certain photos? What is in the database? What method are we talking about, method with scope (what?)? More in detail ... - Denis Derkach
  • Thanks for your reply! I generally asked, but I will describe with my example, the image files themselves are stored in a folder on the server, and the links to them in the database, users can only view the photo, I rendered all the application logic (client) in Factory, I act only through it. - Uladzimir Khadakouski
  • one
    the question here is not how to do it, but how much data will be transferred each time from client to server. For example, if you have 1 million records in the database with a Url photo, then to view 1 photo it is not advisable to transfer all 1 million records; a photo). If there are few records, then you can give it in one request. - Denis Derkach
  • From a security point of view, it does not matter, because to change (damage) data you need to either control the process running on the server or access the file system of your host directory. - Denis Derkach

1 answer 1

All security requirements are essentially as follows:

  1. The server should never under any circumstances give to the client data that this client does not have the right to view. It does not matter if the request is based on such data on the client, the request can always be forged. All rights checks should be carried out on the server, all information should be filtered in accordance with the rights on the server. In general, everything.

  2. The server should not change state when using get requests. Such requests are sent by the browser without checking cross-site security before the request and can be sent by attackers (although it does not receive a response, the server will process the request).