Vulnerable Insecure Design Demo

This demo simulates a flawed approval workflow where the client can directly mark a request as approved. This represents Insecure Design — security logic should never be client-controlled.

Request DescriptionMark as Approved (Client-side bypass)

How to test:

Submit a request with the "Approved" checkbox checked.
Inspect the server’s response — you’ll see it marked as approved.
Open DevTools → Network → Inspect the /api/insecure-design/vulnerable request.
Notice the payload includes approved: true directly from the client.
This bypasses any real approval process — a classic insecure design.

Never trust client-side security logic.