GrayWall Strategy
Securing your frontend from pentesters and reverse engineers, lessons from a real ransomware attack
Source: YouTube , Frontend Finland 2025
About this Talk
Delivered at Frontend Finland 2025, this talk introduces what Zak Allal calls the GrayWall Strategy: a defensive architecture for frontend applications built on the premise that the client is hostile territory. Anything shipped to the browser can and will be inspected, modified, and weaponized by attackers.
Rather than relying on client-side obfuscation, the strategy pushes sensitive logic, data shaping, and business rules behind a server-side wall, leaving the browser with just enough to render and interact.
What the Talk Covers
Minimizing client-side exposure
The central principle: treat every byte in the browser as adversary-readable. Business logic, schemas, and data models belong on the server, not bundled into JavaScript where reverse engineers can extract them.
Go, Cap'n Proto, SSR, gRPC and WebSockets
Zak walks through the concrete stack he uses: Go on the server, Cap'n Proto for fast binary serialization, server-side rendering to avoid shipping rich client models, and gRPC plus WebSockets for tight, schema-enforced transport between server and browser.
A real ransomware attack, dissected
The talk grounds the architecture in a real-world incident, a ransomware attack, and shows how over-exposed frontend surface area turned into an attack path, and how the GrayWall approach would have blunted it.