Chapter 2 — Client–Server Architecture

The why

Every modern app is two programs talking to each other. The split is not technical luxury — it's a security and trust boundary. Understand the boundary, and you'll never write a frontend bug into your backend or a backend bug into your frontend.

What is a "client"?

A client is any program that initiates a request to another program. That's it. Some examples:

• A browser loading gmail.com
• A mobile app talking to /api/v1/inbox
• curl hitting your local dev server
• Your Node service calling Stripe's API (yes — your server is a client of Stripe)

Clients are never trusted. Anyone can modify them. Browsers have DevTools. Mobile apps can be decompiled. curl can send any header. You should assume every request is hostile until proven otherwise.

What is a "server"?

A server is a program that waits for requests and responds to them. It listens on a port (we'll see why in Chapter 3). It runs continuously. It is the only place where:

• Sensitive logic lives (pricing, permissions, payment).
• The database is accessed.
• Secrets (API keys, signing keys) live.

If your server were also untrusted, there would be no point — you'd just be exposing the database to the world.

The three layers every backend has

No matter the language, framework, or scale, every backend has the same three layers:

Edge layer — the gatekeeper

Sits in front of your app. Handles things every request needs:

• TLS termination (decrypt HTTPS)
• Authentication checks
• Rate limiting
• CORS
• WAF (web application firewall)

You usually don't write this layer. It's nginx, Cloudflare, an API Gateway, or middleware like Helmet.

App layer — your code

This is where Express lives. Routes match URLs, controllers run business logic, services talk to the database. This is the chapter you'll spend most of your career in.

Data layer — the vault

Persistent storage: PostgreSQL, Redis, S3, vector DBs. Almost always behind a private network — the database should never be reachable from the public internet.

Why business logic belongs on the server

A pricing example. Suppose a "Buy" button costs ₹100.

Wrong:

// On the client
const price = 100;
fetch('/api/checkout', { method: 'POST', body: JSON.stringify({ price }) });

A hostile client edits price to 1 in DevTools and presses Buy. The server obediently charges ₹1.

Right:

// On the client
fetch('/api/checkout', { method: 'POST', body: JSON.stringify({ itemId: 'sku_42' }) });

// On the server
const item = await db.items.findById(req.body.itemId);
const charge = await stripe.charges.create({ amount: item.

The server looked up the price itself. The client doesn't get to vote on amounts. Every important decision is made on the server, full stop.

Client-server vs peer-to-peer

Client-server is the default but not the only model. Peer-to-peer (P2P) lets nodes talk to each other directly without a central server.

Most apps you'll build are client-server. P2P shines for content distribution, real-time media, and decentralized currencies.

Stateful vs stateless servers

A stateful server remembers things between requests for a given client (e.g. session in memory). A stateless server stores nothing per-client — every request is independent and carries everything it needs (token, params).

Stateless wins for scaling. If your server holds no per-client state, you can run 5 copies behind a load balancer and any copy can serve any user. State, when needed, gets pushed into the database or Redis — somewhere shared.

This is the cornerstone of horizontal scaling. We'll come back to it in L5.

Common mistakes

Production · Performance · Security notes

Production. Treat the trust boundary as the first thing you defend. Every public endpoint must have auth, validation, and rate limits before the business logic runs.

Performance. Stateless servers scale linearly with hardware. Stateful servers do not — they require sticky sessions, which break load balancing during deploys.

Security. Assume the client is hostile. Even your own official mobile app can be modified. Never ship an API endpoint that "trusts the app."

Exercises

1. Beginner. Open any e-commerce site. In DevTools → Network, watch the requests when you "Add to cart." Identify which side made the decision: was the price in the request, or did the server look it up?
2. Beginner. Sketch your favorite app as client + server + database. Where does each piece of data live?
3. Intermediate. Find an API in the wild that lets you do something a logged-out user shouldn't be able to. Don't exploit it — file a bug report. (This is how real bug bounties start.)
4. Advanced. Build a 5-line stateless server that just echoes the request body. Run it twice on different ports. Put nginx in front and load-balance. Notice that nothing breaks.

Interview questions

Beginner. Why don't we just do everything on the client? Because clients are untrusted, ephemeral, and isolated from each other. Pricing, permissions, and persistence have to live somewhere consistent and tamper-proof.

Senior. Walk me through how you would make a stateful service horizontally scalable. Identify the state. Push it to Redis/Postgres. Make handlers stateless. Verify with a chaos test killing a random replica mid-request.

Summary

A client initiates requests; a server waits for them. The split exists because clients are untrusted. Every backend has three layers — edge, app, data — and every important decision must happen in the app or data layer. Stateless servers scale; stateful ones don't.

Quick recall

• Client — anything that initiates a request. Untrusted.
• Server — anything that waits and responds. Trusted, owns the data.
• Three layers — edge, app, data.
• Stateless — scale wins; state lives in Redis/DB.
• Business logic on the server, always.

Quiz

1. Why can't pricing logic live on the client?
2. Name the three layers of a typical backend.
3. What is the difference between stateful and stateless servers?
4. Give one example of a peer-to-peer system.
5. Where do secrets (DB password, API keys) belong — client or server?