It cracks me up when I stumble upon an application that trusts anything coming from the user. Especially when that user is me :)
If given the opportunity, my browser will happily send your application whatever I tell it to. It’s up to you to actually make sure I’m not lying…
If I’m making calls to a webservice that only admins would be calling from you app, make sure I’m an admin before performing the action… Or instead of relying on client-side javascript to calculate the order’s total, for example, maybe do that on the backend instead…
Remember devs…. Trust No One.