Client-side JavaScript runs in the user’s browser, which makes it inherently unreliable for enforcing critical functionality. Network issues, browser quirks, or code errors can prevent scripts from executing correctly, leading to unexpected or inconsistent behavior. Additionally, client-side code is fully exposed to users, which creates potential security risks.

Key issues with relying on client-side JavaScript include:

  • Client-side JavaScript is fully exposed to the end user. They can see it, modify it, disable it, or intercept it.
  • Technical users can override client-side logic. They can use browser dev tools, injected scripts, proxies, or extensions to bypass front-end restrictions.
  • Execution is not guaranteed. Network problems, browser extensions, device limitations, and JS errors can all prevent the code from running reliably.

For these reasons client-side logic cannot be trusted for security, and should never be relied on for secure, private, privileged, or otherwise critical parts of a system. Anything security-sensitive (permissions, pricing, checkout rules, access control) must be validated on the server.

This guidance is backed by OWASP, the Open Web Application Security Project, a global non-profit focused on improving software security. Their “Proactive Controls” emphasize the importance of server-side validation:

C5: Validate All Inputs
Input validation must always be done on the server-side for security. While client-side validation can be useful for both functional and some security purposes, it can often be easily bypassed. This makes server-side validation even more fundamental to security.

In short, client-side JavaScript is suitable for improving usability, but all security and critical business logic must reside on and be validated by the server.

Note: JavaScript is even more likely to break in uncontrolled environments, where changes to the underlying HTML or interactions with other scripts make behavior unpredictable—for example, when running JavaScript in a third-party context. If you don’t control the surrounding code, you cannot guarantee the expected outcome. Even when you do control the code, client-side factors such as network issues, browser extensions, or device limitations can still affect how your scripts behave.

Implications for SaaS E-Commerce Platforms

For SaaS e-commerce platforms like Shopify and BigCommerce, where backend systems are provided as part of the benefits of SaaS and customizations are primarily limited to the frontend theme, the challenges of client-side JavaScript are particularly significant. Merchants typically have limited control over the backend, meaning that enforcing server-side validation or custom business logic often requires building a custom app. When planning feature architecture, it’s important to recognize that privileged functionality—such as custom checkout behaviors, pricing rules, access control, or user-specific logic—implemented solely with client-side JavaScript, without backend validation, carries all the risks and limitations described above.

Relying on client-side scripts in this context introduces the same risks as previously discussed, but with additional implications:

  • Limited server-side enforcement: Without a custom app, the platform’s backend cannot validate or enforce your custom logic. Any critical business rules implemented solely in JavaScript are exposed to the user and can be bypassed.
  • Third-party interference: SaaS platforms often load other apps, scripts, and integrations alongside your store’s code. These interactions can break or interfere with client-side logic in unpredictable ways.
  • Security and compliance risks: Implementing pricing adjustments, discounts, or access controls purely with JavaScript can create opportunities for unauthorized access, unintended discounting, or regulatory non-compliance.

The takeaway is clear: for secure, critical, or sensitive functionality on SaaS e-commerce platforms, server-side enforcement via a custom app or the platform’s built-in backend features is essential. Client-side scripts should be used only to enhance the user experience or provide non-critical features.

Note: Shopify has addressed some of these risks and limitations with Shopify Functions which allow developers to customize the backend logic of Shopify in a controlled environment using standardized APIs.