Skip to content
Thav Global Solutions
All insights
Engineering2 June 20266 min read

Giving the browser less to give away

Security-relevant logic never ships to the client, but the client is still worth hardening. Stripping a production build and locking down the page does not keep secrets. It raises the cost of every other attack.

Engineering Practice

We start from a rule that does not bend: nothing that gates a decision lives in the browser. With that settled, a fair question follows. If the client holds no secrets, why harden it at all? Because reducing what the client exposes, and what an injected script can do once it is there, shrinks the attack surface for everything that is not a secret: session handling, user trust, and the integrity of the page a person is looking at.

Minify to reduce exposure, not to hide

Production builds ship without source maps, without comments, without console output, and minified. This is worth doing, and it is worth being honest about why. It does not make the code secret; a determined reader can still recover behavior. It raises the cost of casual inspection and removes the accidental leaks, the stray log line, the revealing comment, that make an attacker's first hour easy. The real secrets are absent because they were never sent, not because they were obscured.

A page that refuses to run code it did not author

The largest class of client risk is code running on the page that the team never wrote. A strict, nonce-based content security policy is the countermeasure: scripts execute only if they carry a nonce the server issued for that response, inline scripts are refused, and there is no eval. An injected tag, however it arrives, has nothing to attach to.

  • A nonce-based CSP, so only server-sanctioned scripts run and injected ones do not.
  • No inline scripts and no eval, removing the two most common footholds for injection.
  • Closed Shadow DOM roots, so component internals are encapsulated rather than left open to the page.
  • Session material kept short-lived and in memory, never parked in long-term local storage for a script to find.

Assume the bundle will be read and the page will be probed. Then make sure neither one is where anything important lives.

Defense in depth, with the depth on the right side

None of this replaces the server boundary; it complements it. The server remains the only authority over decisions and the only holder of secrets. Hardening the client simply means that when an attacker reaches the one surface they can always touch, they find a page that gives little away, runs nothing they smuggled in, and keeps no session they can steal. The logic that matters is somewhere they cannot go.

More insights

Security6 min read

The audit log that cannot be quietly edited

Who read this record, who changed it, and when. A system that holds sensitive data has to answer that honestly, which means the people with the most access need the least ability to rewrite the answer.

17 June 2026
Delivery7 min read

The system advises, the officer decides

Software can sort, surface, and flag faster than any person. What it should not do is make the final call on a human being. Keeping a trained official in the decision is both an ethical line and an engineering one.

10 June 2026
Data Governance6 min read

Biometrics you are relieved to have deleted

A face or a fingerprint is the one credential a person can never reissue. The responsible way to handle it is to hold it for the shortest possible moment, never in its raw form, and to make deletion automatic.

26 May 2026

Planning a new system, or need an independent assessment?

Whether you are modernizing a legacy platform or testing the one you already run, we will tell you plainly what it takes and where the risk is.

Start a conversation