Authorization Best Practices
Learn the interview-ready mental model, practical trade-offs, and production patterns for this web fundamentals topic.
Topic content
Authorization controls what authenticated users are allowed to do. Proper authorization prevents privilege escalation and data leaks. Key principles: least privilege, server-side enforcement, and combining role-based access with resource ownership checks.
Authentication is showing your ID to get in. Authorization is the bouncer checking whether you have a VIP wristband for the VIP area. Even if you're in the club (authenticated), you shouldn't access areas you're not allowed (unauthorized).
1Principle of Least Privilege
Users and systems should have the minimum permissions necessary to perform their tasks. This limits damage if credentials are compromised.
2Role-Based Access Control (RBAC)
Map users to roles, and roles to permissions. Simple and effective for most applications.
const roles = {
admin: ['read', 'write', 'delete'],
editor: ['read', 'write'],
viewer: ['read']
};
function can(user, action) {
return roles[user.role]?.includes(action);
}3Resource Ownership Checks
For user-owned resources (posts, profiles, orders), always verify the requesting user owns the resource in addition to role checks.
- ✓Authentication = Who are you? Authorization = What can you do?
- ✓Always enforce authorization on the server
- ✓Follow principle of least privilege
- ✓Combine RBAC with resource ownership checks
- ✓Default to deny access
- ✓Protect ALL state-changing operations
- ✓Centralize authorization logic for maintainability