Every hop, every header, every contract — made visible.
bff-auth enforces three requirements on state-changing requests:
X-CSRF, Content-Type: application/json, and a JSON-parseable body.
The safe button uses bff(); the unsafe one bypasses it.
Six attacks. Six layers of defence. Try to break through — every attack gets stopped and explained.