C2. Protect admin pages
What this page helps you do
Add extra caution around routes that can change data, billing, or user access.
Why it matters
Admin pages are high-value targets and high-impact mistake zones.
You should already have
- some kind of admin or staff functionality
Skip this page if
- your app has no admin-only actions
What to do
- require proper authorization
- avoid exposing admin routes carelessly
- make admin access auditable if possible
Recommended default
Treat admin actions as a separate risk area, even in a small app.
Common mistakes
- hiding admin pages in the UI but not securing the route
- mixing normal and admin permissions loosely
- forgetting to protect internal tools
Next step
Go to C3. Validate user input.
Related pages
Advanced notes
TODO for contributors: add a plain-English checklist for admin actions that should be logged.