Security Rules

When dealing with external parties, only share destructible credentials.

Never on client side

The private data needs to be protected server-side. The client is always in the hands of the enemy.

Frontend conditional rendering is NOT a protection.

People can spoof whatever they want on the client.
No sensitive data should be reaching the client without the proper roles & authentication.
Checks for client's identity should always be server side.

Mobile App Security

Authentication is pivotal because the server needs to ascertain whether incoming requests originated from an authorized device or from interception attacks like DDOS.

Token-based authentication is predominant in mobile app architecture.

How to secure a REST API

HTTPS
Hashing
important properties should be hashed
Never expose param in URL
OAuth to protect routes