Username/password validation should happen entirely server-side, with as little information as possible provided to the client
Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.
Yyyup. This is why you also why it’s good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn’t have access to, whether it exists or not. Don’t give them the hint that they hit a path that has forbidden data.