All JavaScript in WaveMaker is executed in the browser. Unless you are deploying your application to a private, secure network only accessible by highly trusted devices, the client must be considered as untrusted. Even when a username and password is required to access the application, the client host could potentially be under malicious control. Never should secrets or security be entrusted to JavaScript. Any system password, proprietary logic, access restriction, or validation done in JavaScript can be circumvented, modified, extracted, or disabled. Such things must be done on the server-side in order to be secure.
Previously, we used the Chrome Developer Tools JavaScript console in Chapter 1, Getting Started with WaveMaker. Malicious users can also use the console to manipulate application components in the very same way. Finally, no matter how secure we could make the client code, any and all logic used in the client can be circumvented by sending...