The backend is the portion of an application that executes on the server.
Unlike the frontend, which runs inside the user's browser, backend code executes on systems controlled by the organization hosting the application.
Users never directly see backend code. Instead, they interact with it indirectly by sending requests.
What Does The Backend Do?
Backend applications are responsible for:
- Processing requests
- Performing business logic
- Authenticating users
- Accessing databases
- Communicating with other services
- Generating responses
Example:
A user clicks:
<button>Login</button>
The browser sends:
POST /login
The backend:
- Receives the request
- Validates credentials
- Queries the database
- Creates a session
- Returns a response
Frontend vs Backend
| Frontend | Backend |
|---|---|
| Browser | Server |
| HTML | Application Code |
| CSS | Business Logic |
| JavaScript | Authentication |
| User Controlled | Server Controlled |
The frontend gathers information.
The backend makes decisions.
Common Backend Technologies
Backend applications can be written in many programming languages.
Common examples include:
| Technology | Language |
|---|---|
| ASP.NET | C# |
| Spring | Java |
| Flask | Python |
| Django | Python |
| Express | JavaScript |
| FastAPI | Python |
| Gin | Go |
Although the technologies differ, they all perform roughly the same tasks.
Example Request Flow
A user visits:
https://portal.corp.local/profile
Browser:
GET /profile
↓
Web Server
↓
Backend Application
↓
Database
↓
Response Returned
The backend may retrieve information from multiple sources before generating the final response.
Backend APIs
Modern applications often expose APIs.
Instead of returning HTML pages, they return data.
Example:
GET /api/users/1
Response:
{
"id": 1,
"name": "Operator"
}
The frontend then renders that information to the user.
Many modern applications are little more than a frontend consuming backend APIs.
Why Operators Care
Most impactful web vulnerabilities ultimately exist within backend functionality.
Examples include:
- SQL Injection
- Command Injection
- Authentication Bypass
- File Upload Vulnerabilities
- Path Traversal
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object References (IDOR)
Although the frontend may expose the functionality, the vulnerability usually exists within backend logic.
Trust Boundaries
One of the most important concepts in web security is understanding trust boundaries.
The backend should assume that every request received from a user may be malicious.
Anything originating from the client should be treated as untrusted input.
Examples include:
- Form fields
- Cookies
- HTTP Headers
- URL Parameters
- Uploaded Files
- JSON Data
A secure backend validates all input before using it.
However, this does not remove the need for frontend validation as well!
Backend Compromise
If an attacker successfully compromises a backend application, they may gain access to:
- Sensitive data
- Credentials
- Internal services
- Databases
- Source code
- The underlying operating system
Many real-world intrusions begin with a vulnerable backend application.
Key Principle
The frontend presents information.
The backend makes decisions.
Security controls should be enforced by the backend, not by the browser.