Security Modifing App State From Javascript

I have a question about how to develop my web application security. Assuming that all the javascript code is public and that anyone can make any AJAX call directly, with parameters

Solution 1:

The server is always the ultimate authority. You need all of your app logic server-side and the server needs to validate all actions a user takes. Think of the server as a black box, which represents all of your application logic. Anything outside of that black box is not trustable, not part of "the app". Anything that can be done "from outside" with that black box is by definition untrusted. The black box must only expose valid APIs to the outside and react to any invalid input by rejecting it. An HTML/Javascript interface is merely a convenient way to use those APIs that a normal user can interact with, it is not part of the core application and must not contain critical business logic. It merely represents what goes on inside the black box.

If your application is highly dynamic and often changes state which needs to be reflected in the interface, like in a game, then yes, keeping that in sync with the server-side state can be quite a challange. It's nevertheless necessary.