I'm new to web applications development, specially when it comes to frontend, but as I understood, a typical structure for a big application would have a frontend php (or equivalent) layer calling the backend services and generating dynamic pages.
Now we're building a new site, and a colleague of mine insists on not having the layer that generates the dynamic pages. He wants the pages to be mere skeletons with html and JS, so basically static web pages, and directly invoking the backend (REST) with JS. This, of course, means having the backend services publicly available, which I'm not particularly comfortable with.
Is this architecture approach advisable? Does it scale?
Best Answer
That architecture your colleague suggested is pretty common nowadays - it's called Single Page Application.
In terms of security the two methods are equivalent - in both cases the server is generating all data required for creating the page, and sending it to the client. The only difference is where and how this data gets formatted into to form displayed to the user.
For example, if you want to allow the user the search for products, in the classic approach the server will generate the entire HTML page with the list of products in it, and in the SPA approach the server will generate the same list of products, but instead of rendering HTML it'll serialize the list into XML or JSON or whatever other format and send the serialized list to the client.
Notice that in both cases:
Security-wise, the only advantage of the classic approach over the SPA approach is that SPAs make it a bit easier to programmatically use your application - for example it's easier for me to create a script that runs every morning, logs in with my credentials, requests the list of products, and emails me if you've added a new product. But I could have done it with the classic approach as well - it would have been a little harder(because it's harder to extract the data from HTML page than from a serialization format) but it would have still been possible(I've actually done that a few times...)