Why is client-side enforcement insecure?

Because the browser runs on the user's machine. Any code a site sends to the browser can be read, paused, and rewritten by the user, so any rule the server does not independently re-check can be changed. Client-side checks are only safe as user-interface hints. The server has to be the source of truth for anything with value, such as subscriptions, usage limits, in-app currency, and answer correctness.

How could Gizmo enforce hearts and subscriptions securely?

Move the decisions to the server. The client should send each answer over a websocket and let the server grade it, so the correct answer never ships to the browser. The server should own the hearts counter and decrement it, check subscription status on the connection, and refuse to serve the next question once a non-subscriber reaches zero hearts. With the server authoritative, patching the client bundle to report 'subscribed' has no effect, because the server never trusts that claim.

Why is Prodigy's architecture harder to secure than Gizmo's?

Prodigy runs essentially the whole game on the client, including assigning in-app currency and game state. When the client is authoritative for a balance, changing it is just calling a function the app already exposes, so there is no server check to bypass. Securing it requires moving currency, progress, and entitlements onto the server and treating every existing client-supplied value as untrusted input, which is a re-architecture rather than a patch.

Can client-side validation ever be safe to keep?

Yes, as a convenience layer. Client-side validation improves speed and user experience, for example showing an error before a form is submitted. It is safe only when the server repeats every check that matters and treats the client's result as a hint, never as the final decision.

Client-Side Enforcement

Every patch documented on this site exploits the same mistake. Not a clever zero-day, not broken crypto. The app shipped a decision to the browser and then trusted the answer the browser sent back.

The patcher and the extension are downstream of one architectural choice. Strip away the regex and the injection trick, and what is left is a thesis about where decisions are allowed to live.

The one rule

Client-side enforcement of anything is worthless unless the server independently checks everything that matters. The browser is the user's machine. Code you send there is a suggestion. The user can read it, pause it, swap in a different version, and run that instead, which is exactly what the rest of this site does in two regex rules. If a decision carries value, who paid, how many tries are left, how much currency a player holds, whether an answer was right, the server has to make that decision. The client only gets to show the result.

What trusting the client looks like

The Gizmo paywall came down because a boolean lived in the bundle. A read like isSubscribedStore.get(), and a compare like 'subscribed' === ...subscription.status. Both run in code the browser hands to the user, so flipping each one to true takes a single anchored regex. The full walkthrough is in the case studies.

The lesson is not that the regex was easy to guess. The lesson is that the decision sat on the wrong machine. Minification, obfuscation, and renaming do not move it, because the code still has to run, and anything that runs can be changed. Hiding a lock is not the same as locking the door.

Decision	Where it is enforced now	Where it has to live
Subscription status	read from a client-side store	verified per request against the account
Free tries / hearts	a counter in page memory	counted and decremented server-side
In-app currency	set by client code	owned by the server; the client only reads it
Answer correctness	graded inside the bundle	graded by the server; the key never ships

Gizmo: fixable without a rewrite

Gizmo is salvageable, because its server already knows who the user is. The connection is authenticated. The decisions are simply being made in the wrong place, and they can be moved without tearing the product apart.

A sound version looks like this. Answer checking moves server-side: the client sends the submitted answer over a websocket, the server grades it, and the correct answer never reaches the browser to be extracted. The server owns the hearts counter and decrements it on a wrong answer, so the client renders whatever the server reports instead of tracking lives itself. Subscription status is checked on the connection, not read from a store the user controls. Then enforcement becomes a single server decision: once a non-subscriber hits zero hearts, the server stops serving the next question.

Gizmo, done server-authoritative

CLIENT (untrusted)            SERVER (source of truth)
submit answer  ===ws===>    grade vs answer key (never sent to client)
                            correct?  update score
                            wrong?    hearts = hearts - 1
render hearts  <==ws====    { hearts, wasCorrect }   (no answer key)
next question? ===ws===>    subscriber OR hearts > 0 ?  serve  :  refuse

With that shape, patching the bundle to claim subscribed does nothing. The server never asked the client whether it was subscribed, so there is no answer to forge. The cost is real: a stateful connection, server-side grading, actual session state. That cost is the price of the check being a check.

Prodigy: structurally broken

Prodigy is the other end of the spectrum. Its architecture runs essentially the whole game on the client, including the parts a server should own outright, like setting in-app currency and writing game state. When the client is the authority for a balance, changing that balance is not an exploit. It is calling a function the app already exposes. There is nothing to bypass, because nothing is checking.

Securing Prodigy means moving each of those onto the server and treating every value the client sends as untrusted input, including the ones the code currently sets for itself. That is not a patch. It is a re-architecture, and it touches most of the codebase.

Why this is the expensive kind of bug

You do not ship a one-line fix for client-side enforcement. There is no header, no WAF rule, no obfuscation pass that closes it, because the attacker owns the runtime. Every endpoint that changes something of value has to verify the actor and the action on the server. For a small app, that is an afternoon of work. For an architecture shaped like Prodigy's, it is a project.

Securing a codebase

I take this work on. If your app enforces things in the browser that it cannot afford to lose, I move the decisions that matter onto the server and treat the client as the hostile input it is. Send me a rough sense of the codebase and I will scope it and send back a quote. Any size.

alexey.max.fedorov@gmail.com

Written by Alexey Fedorov. For how the patching itself works, start with how it works.