January 29 2025
Trust Boundaries
How to think about security by asking who can trust whom instead of turning everything into a memorized checklist.
Andrews Ribeiro
Founder & Engineer
3 min Intermediate Systems
The problem
Many serious security failures do not start with exotic cryptography problems or zero-day exploits.
They start with a simpler mistake:
the architecture trusted something too early.
It might be raw user input, a poorly validated token, client-provided data, or a response from another internal service.
Mental model
Security gets much more concrete when you think in trust boundaries.
A trust boundary is the point where data leaves an untrusted environment and enters a place where it can cause real damage.
The central question is:
what data am I treating as truth right now, and why do I believe it?
That question sounds simple.
But it breaks a lot of lazy trust inside an architecture.
Breaking it down
A mature way to map trust boundaries is:
- find the real origin of the data
- identify who could have changed it before it got here
- map what the system is about to do with it
- validate, sanitize, or limit permissions right before the point of impact
That moves security out of the abstract and back into the actual flow of the system.
Simple example
Imagine the client sends this:
{
"userId": "123",
"role": "admin"
}If the backend accepts role as truth without checking it against a trusted source, the trust boundary has already been crossed in the wrong way.
The problem is not receiving JSON.
The problem is treating client-provided data like it has authority over permissions.
Common mistakes
- trusting raw client data too early
- assuming an internal service on the same network is automatically safe
- mixing identity with permission
- treating security like a last-minute checklist
- assuming the presence of a token proves everything the system needs to know
How a senior thinks
More experienced engineers do not start with security tools.
They start by interrogating the data flow.
The reasoning usually sounds like this:
Before writing a rule, I want to map where this system accepts untrusted data and where that data could cause damage.
That shift alone clarifies a lot:
- where validation belongs
- where authorization belongs
- which assumptions are still too weak
What the interviewer wants to see
In backend or system design interviews, this topic shows depth quickly.
The interviewer wants to see whether you:
- understand that security starts with trust modeling
- know where validation belongs in the flow
- think about worst-case impact instead of cosmetic fixes
A strong answer often sounds like this:
I would map where the system crosses from untrusted data into trusted execution. From there I would decide where to validate, where to limit permissions, and where a weak assumption could turn into a dangerous action.
Security starts when you stop trusting things just because it is convenient.
Quick summary
What to keep in your head
- A trust boundary is the point where untrusted data gains a chance to cause real harm.
- Client input, tokens, internal services, and external payloads need to earn trust. They do not get it for convenience.
- Security improves when the team asks where the data came from and who could have changed it before it got here.
- Mapping trust boundaries helps decide where to validate, sanitize, and authorize.
Practice checklist
Use this when you answer
- Can I point to trust boundaries in a real request flow?
- Can I explain why an internal service is not automatically a trusted source?
- Can I give an example of client data being treated like authority without earning it?
- Can I answer in an interview how I would map trust points in a system?
You finished this article
Share this page
Copy the link manually from the field below.