The screen is not the security boundary
The frontend helps the user navigate. The API decides what the user can do. If the API trusts the screen too much, customer A may touch customer B's data, plan, or file.
For a founder, the question is simple: does every action confirm owner, role, and context before responding?
Review first
- Routes with customer, scope, file, or order IDs.
- Plan changes, billing, coupons, and paid access.
- Upload, import, and webhook.
- Admin and support areas.
- Export of reports or personal data.
A protected API protects the business even when the interface changes.
