require-backend-authorization
ESLint security rule documentation for require-backend-authorization
📡 Live from GitHub — This documentation is fetched directly from require-backend-authorization.md and cached for 6 hours.
Keywords: require-backend-authorization, client-side, server-side, access control, security, ESLint rule, CWE-602, authorization bypass CWE: CWE-602: Client-Side Enforcement of Server-Side Security
OWASP Mobile: OWASP Mobile Top 10 M3: Insecure Communication
CWE: CWE-602
ESLint Rule: require-backend-authorization. This rule is part of eslint-plugin-secure-coding.
Quick Summary
| Aspect | Details |
|---|---|
| Severity | Critical (Authorization Bypass) |
| Auto-Fix | ❌ No (requires architectural change) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | Web and Mobile applications with backends |
Vulnerability and Risk
Vulnerability: Client-side enforcement of security occurs when critical authorization logic (e.g., "is the user an admin?") is performed only in the frontend code.
Risk: Attackers can easily bypass client-side checks by modifying the JavaScript code in their browser, using proxy tools, or calling backend APIs directly. Authorization MUST be enforced on the server-side for every sensitive operation.
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-602 OWASP:M3 | Client-Side Authorization detected | CRITICAL [AuthBypass]
Fix: Move authorization checks to server-side API endpoints | https://cwe.mitre.org/data/definitions/602.htmlMessage Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-602 OWASP:M3 |
| Issue Description | Specific vulnerability | Client-Side Authorization detected |
| Severity & Compliance | Impact assessment | CRITICAL [AuthBypass] |
| Fix Instruction | Actionable remediation | Move checks to server-side API endpoints |
| Technical Truth | Official reference | Client-Side Security |
Rule Details
This rule flags common patterns where sensitive properties like isAdmin, role, or permissions are used in client-side conditional statements (if blocks) to gate functionality.
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🕵️ Bypass | Attackers gain admin access | Enforce all permissions in the API layer |
| 🚀 Exfiltration | Sensitive data exposed to unauthorized | Never send data that the user shouldn't see to the client |
| 🔒 Compliance | SOC2/ISO27001 audit failure | Implement a Zero-Trust architecture for all backend requests |
Configuration
This rule has no configuration options in the current version.
Examples
❌ Incorrect
// Gating sensitive UI/Logic in the frontend
if (user.role === 'ADMIN') {
showDeleteButton();
enableAdminConsole();
}
// Bypassing a check by changing a local variable
if (currentUser.isAdmin) {
performSensitiveAction();
}✅ Correct
// Requesting data from a secure API endpoint
// The server MUST verify the user's role before returning the data or performing the action.
async function fetchData() {
const response = await fetch('/api/admin/data');
if (response.status === 403) {
handleUnauthorized();
return;
}
const data = await response.json();
renderAdminUI(data);
}Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: If the role is assigned to a generic variable name, it will not be flagged.
// ❌ NOT DETECTED
const mode = user.role;
if (mode === 'ADMIN') { ... }Mitigation: Use consistent naming for security-related properties and audit them carefully.
Client-Side UI Toggles
Why: This rule targets logic. Merely hiding a button (display: none) based on a role is not technically a security bypass if the underlying API is secure, but it is often indicative of poor patterns.
Mitigation: Always assume the client-side code is compromised and enforce everything at the network edge.
References
Edit this page on GitHub →