# Frontend Framework and Mobile Backend Security Guides

> **Intro:** The security questions for React or Next.js are not the same as the questions for a mobile backend. This page gives short review lenses for those environments.
>
> **What this page includes**
>
> * frontend framework review points
> * mobile backend review points
> * where state, secrets, and identity assumptions usually break
> * practical release checks

## React / Next.js

Review for:

* server versus client boundary clarity;
* secrets excluded from client bundles;
* SSR and API route auth behavior;
* CSP, cookie, and session defaults.

## Mobile backend APIs

Review for:

* device identity assumptions separated from user identity;
* replay-resistant registration and refresh flows;
* abuse controls on login, enroll, and recovery endpoints;
* safe handling of push tokens, file uploads, and telemetry.

## Shared anti-patterns

* role or entitlement checks only in the client;
* debug routes and feature flags exposed in production builds;
* broad API scopes for mobile clients that should use narrower task-specific routes.

## Release checks

* build artifacts inspected for secrets;
* environment-specific endpoints correct;
* app-to-backend auth flows tested for bad states and replay behavior;
* frontend telemetry reviewed for data minimization.

## Related pages

* [Frontend and Browser Security](/application-security-and-secure-sdlc/index-2.md)
* [API Security](/architecture-api-crypto-and-identity/index.md)

***

*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-4/frontend-framework-and-mobile-backend-security-guides.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.