I generally use this picture to explain client-side security to an unsuspecting audience

Image transcription: A public emergency telephone with a sign stating "Only 911 can be dialed," with the numbers 9 and 1 buttons taped to make it the only accessible dialing option.

There’s a difference between ‘I would rather the user didn’t do that’ and ‘We must not allow this to happen’.

User enters the empty string for their password recovery question? Don’t care. Let the Frontend handle this. If the user is capable enough to disable the frontend validation, they’re capable to remember their password.

User enters SQL as their password recovery question? Validate in the backend.

The key-code to open the gate is: 1234

they mean for wheelchairs.

window.isAuthenicated = true;

Reminds me of an "App" me and two of my friends made for an assignment in university :blobfoxblush:

It’s a suggestion, and just enough enforcement to stop people from accidentally wandering that way. Who knows, it might actually be a “don’t go this way, there’s something dangerous” kind of thing, or they could have actual security further along.

How about input sanitization entirely on the client side? That's what a university did with its exam results database. I wonder how many times it got hacked.

To be fair, I’d give up. Don’t want to get muddy shoes. Take the hint I say.

- in actuality the gate would be half that height.

Some fat cop in riot gear with mace and baton waiting behind the bushes. Like uh oh, 6 year old. Better use Mace Jr and the little pink nightstick.

When will Linux introduce the feature of a changeable name of the superuser? I don't like the name root, I want to change it on my system. Proper flexibility allows greater security as well as more fun for the user.