The system must enforce access controls on trusted enforcement points, not on the client’s side.
Systems must enforce access controls on trusted enforcement points such as access control gateways, severs and serverless functions. Client-side access control enforcement can not be trusted because it is prone to being bypassed and/or tampered with.
CWE-284: Improper Access Control. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-285: Improper Authorization. The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-602: Client-Side Enforcement of Server-Side Security. The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-639: Authorization Bypass Through User-Controlled Key. The system’s authorization functionality does not prevent one user from gaining access to another user’s data or record by modifying the key value identifying the data.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.1) Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.4) Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.
OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.3) Verify that input validation is enforced on a trusted service layer.
OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.1) Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.
OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.2) Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
OWASP-ASVS v4.0.1 V4.2 Operation Level Access Control.(4.2.1) Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else’s record, viewing everyone’s records, or deleting all records.
OWASP-ASVS v4.0.1 V13.1 Generic Web Service Security Verification Requirements.(13.1.4) Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions.
OWASP-ASVS v4.0.1 V13.4 GraphQL and other Web Service Data Layer Security Requirements.(13.4.2) Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer.