Victor Jeman Academy

If I hide the delete button, is the action safe?

Hiding a button is convenience, not protection. Anyone can call the API directly, so the server has to check every permission too.

Hiding a button does not block the request

Hiding the delete button only takes it off the screen. The endpoint behind it is still live, and anyone can hit it directly with curl or the browser network tab. Gating on the client is a UX choice, not a security boundary.

In my Next.js App Router app I hide the [delete] button when the user is not an [admin]. Show me how someone could still call the [DELETE /api/posts/:id] endpoint directly, and why hiding the button does not stop them.

Enforce every permission on the server

The server is where the boundary actually lives. Each endpoint, server action, and route handler should re-check the caller's role before it does anything. The client check decides what to show. The server check decides what really happens.

How do I check the caller's role inside a Next.js server action or route handler before performing [delete-post], and return a 403 when they are not allowed, even if the client already hid the button?

Client gating is UX. The server is the real boundary, so re-check every permission there.

Additional Resources

Explore these carefully curated resources to deepen your understanding and practice the concepts covered in this lesson.