Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-backend-for-frontend.md

1.3 KiB

Pattern: Backend-for-Frontend

Status: seed Readiness target: RL2 private beta Primary owners: product repos, NetKingdom Genesis family: Application/API security

Problem

Different UI clients often need different API shapes, but exposing broad backend APIs directly to browsers or mobile clients increases token and data exposure.

Context

Use this pattern for web frontends, mobile clients, admin consoles, tenant portals, and agent-facing UI surfaces.

Forces

  • UI clients need tailored data and workflow APIs.
  • Backend services may expose fields or operations that clients should not see.
  • Tokens and sessions need client-appropriate handling.
  • Authorization decisions still need tenant and object context.

Solution

Create a client-specific backend layer that mediates session handling, data shaping, authorization calls, and downstream API access for one frontend class.

Verification

  • The BFF exposes only client-appropriate operations and fields.
  • Downstream calls include trusted user, tenant, and authorization context.
  • Sensitive backend tokens are not exposed to clients.
  • Session and CSRF controls match the client type.
  • API Gateway as Security Boundary.
  • Object-Level Authorization Check.
  • Tenant Context Propagation.
  • Schema-First API Security.