Should it be allowed to make direct requests to the baas database directly from the client without the participation of the server and without server validation?

H

hbrmdc2015-09-22 08:53:47

Database

hbrmdc, 2015-09-22 08:53:47

Stack:
ReactJS, Flux, NodeJS+Express server, BaaS Backendless database.
I want to make such a connection between the client webapp and the database:
all get requests will be sent directly to the database from the client side, because in this application, all information is open and there is nothing to hack.
With the help of this, I expect to increase the speed of obtaining information by the client, because. time will not be spent on a scheme like: api request to the server > Server asks the database > database responds to the server > server responds to the client. Well, shorten the code a bit.
But all other requests will go exclusively through the server, and only the server will have a token with which you can change anything in the database. The server, on the other hand, will validate the data that the client sends, so that, for example, a smart client cannot save data to another user.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alex Safonov, 2015-09-22
@elevenelven

Never trust data received from a third party.
Maybe your database doesn't contain sensitive data. But there is still integrity and availability that can be compromised. And besides, at some point it may become necessary to rank users, issue access rights and control them. Well, or there will be conf. data.
Always write your code as if it were software for an artificial kidney. And the practice is good and the habit is useful.

I

Ivan, 2015-09-22
@LiguidCool

I would also add that in this mode, the data on the network goes in the clear and is not covered by https.