Page protection controls whether the user can see or load a route, while action protection controls whether the server will accept a state-changing request. They are related but not interchangeable. A secure application needs both, because hiding a button does not stop someone from calling the underlying endpoint directly.
Why This Matters for Security Teams
Page protection and action protection solve different problems, and confusing them creates a common authorization gap: the interface looks restricted while the backend still accepts requests. That gap matters because attackers do not need a visible button if they can call the endpoint directly, replay a request, or modify parameters. NIST’s Cybersecurity Framework 2.0 emphasizes least privilege and continuous risk management, which maps closely to this distinction.
For NHI-heavy systems, the risk is sharper. Service accounts, API keys, and automation tokens often have broader reach than the UI suggests, and NHI Mgmt Group notes that 97% of NHIs carry excessive privileges in its Ultimate Guide to NHIs — What are Non-Human Identities. If the page is protected but the action is not, an attacker or overprivileged automation path can still change state, even when the route is hidden. In practice, many security teams discover this only after a direct request reaches production, rather than through intentional authorization testing.
How It Works in Practice
Page protection is usually enforced at the routing or rendering layer. It decides whether a user, session, or workload is allowed to load a page, view a component, or receive a response that includes sensitive data. Action protection is enforced at the operation layer. It decides whether the server will accept a state-changing request such as create, update, delete, approve, rotate, or revoke. The server must make this decision every time, regardless of whether the client UI hid the control.
In mature designs, the two layers work together:
- Page protection reduces exposure of sensitive screens, forms, and workflow details.
- Action protection validates identity, privilege, resource scope, and request context on every write operation.
- Server-side checks enforce role, ownership, tenant boundaries, and allowed state transitions.
- Logs and audit trails record denied and permitted actions for investigation and review.
This matters especially for APIs, automation, and NHIs. A service account can bypass a page entirely and invoke the endpoint directly, so the backend must not assume the UI has already done the security work. That is why hidden controls are not security controls. The right pattern is to treat the page as a convenience layer and the action as the enforcement point, with authorization evaluated on the server for each request. For broader NHI context, the operational risks described in Schneider Electric credentials breach show how exposed credentials and excessive access can turn a narrow flaw into broad compromise. Current guidance suggests that action protection should be explicit, testable, and independent of front-end visibility. These controls tend to break down in legacy applications with shared backend handlers because UI and authorization logic are often coupled too tightly.
Common Variations and Edge Cases
Tighter action protection often increases implementation effort, requiring organisations to balance usability and performance against stronger authorization assurance. The tradeoff is worth it, but the mechanics differ by architecture.
One common edge case is read versus write behavior. A page may be public or broadly visible while the action behind it is tightly restricted. Another is partial access: a user might be allowed to view a record but not approve, delete, or export it. In API-driven systems, there may be no meaningful page at all, only actions, so the authorization model must focus on endpoints and state transitions rather than screens.
There is also no universal standard for how far page protection should go in single-page apps, because some teams rely on route guards while others rely on server-rendered access checks. Best practice is evolving, but the safe baseline is consistent: never trust the client to enforce business security. For organisations managing NHIs, this distinction matters even more because non-human actors often operate through APIs and automation rather than human-facing pages. The broader NHI lifecycle and privilege issues documented in the Ultimate Guide to NHIs — What are Non-Human Identities show why server-side action checks and least privilege have to travel together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control must cover actions, not just visible pages. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Excessive NHI privilege can bypass weak action controls. |
| NIST AI RMF | Context-aware decisions align with runtime authorization needs. |
Use governance and risk controls to make authorization decisions explicit and testable at request time.
Related resources from NHI Mgmt Group
- What is the difference between privilege reduction and secret rotation?
- What is the difference between a rules-based secret scanner and a hybrid scanner?
- What is the difference between code scanning and runtime identity monitoring?
- What is the difference between zero trust for users and zero trust for NHIs?
