The Client Is Lying

There’s a fundamental truth in web development that we often forget: the client is always lying.

Not maliciously, necessarily. But every pixel rendered in a browser, every byte sent over the wire, every click and keystroke, all of it exists in hostile territory, subject to manipulation, inspection, and deceit. Yet we build applications as if the frontend is a trusted partner, implementing business logic in JavaScript as though DevTools doesn’t exist.

This is a talk about where trust belongs in modern web architecture.

We’ll start with a simple demonstration: changing a product’s price with a few keystrokes. From there, we’ll explore why client-side validation is theater, how authorization checks vanish into thin air, and why the shift from thick clients back to server authority isn’t nostalgia, it’s necessity.

We’ll learn the principles of server authority: treating every request as potentially malicious, keeping business logic where it belongs, and building defense in depth from your API to your database.

We’ll explore server authority through Zero, a framework that enforces these principles by design, examining the architectural patterns and tradeoffs that enable security without sacrifice across modern web development.

This isn’t about paranoia. It’s about respect: for your users, your data, and the craft of building software that doesn’t betray trust.