5

A fun curiosity as I build my React application:

I notice how in the browser we can play with the client-code and/or resources. (e.g change css, change html, change a js variable).

Does that mean we can also manipulate the global state of the stores from the browser?

For example, if are doing client-side routing(all client-code is on the browser) and we are checking the store data to see if a user is logged in order to allow routing - couldn't we(or anyone for that matter) just manipulate the store state to override the required login and just walk around the application anyways?

I realize that example can be trivialized in many ways - but the main question is if the global state of the client application code can be played with to trigger different renderings of components while in the browser or even render completely different parts of the component state tree for that matter.

Note: Forgive any signs of major ignorance this might expose.haha. I'm just not sure and I think it would be interesting to know for many reasons both from a development and UX standpoint.

Nick Pineda
  • 6,354
  • 11
  • 46
  • 66
  • Everything in the browser can be manipulated. `document.write('Game over!')` ;) – azium Feb 24 '16 at 04:45
  • From a security point of view: You cannot ever be sure that the requests you receive on the server come from a browser running your app to begin with. So you should always implement your security checks on the server side. – flup Feb 24 '16 at 11:18

1 Answers1

5

Yes, with React/Redux Dev Tools user can do anything with data in the store. So you should never store any sensetive data on frontend, and validate every user request on server-side.

xCrZx
  • 2,503
  • 1
  • 24
  • 25