that colleague of yours is limited, so don't be friends with him.
ajax requests can also be checked with various permissions. If you can crack the check, then even if you return the data through the page, can you also simulate the page request?
besides, if there is pressure on the server to adjust the interface many times, isn't it also stressful to request the page many times?

agree with the first floor, don't be friends with this colleague

there are many ways for ajax permissions, such as token verification, signature verification, etc.
the front end has no secrets from skilled people but try to
as long as someone wants to mess with your server, it is useless for you to return the page at the back end

I think it's normal for colleagues to ask questions and worry.
it's just that the security problem has little to do with the separation of front and rear ends. Multiple access restrictions can be easily configured in nginx.

in addition, some of the previous answers said that ajax permission verification is not the same thing as the heavy load caused by multiple visits to questions.

join in the fun, but the question of the landlord's colleagues is not mentioned.
all the questions raised by colleagues in the building are problems that should already exist in the backend. No matter whether they are separated or not, any content security placed at the front end is unreliable, and access control needs to be handled at the backend.
should focus on the separation of front and rear ends, such as what to do if there are only templates but no data SEO at the beginning of loading, such as what to do if the cache is not rendered by the server, and so on.

A client accesses the same interface multiple times will be cached, and there is no problem of excessive pressure on the server.

token permission verification, and reject repeated requests

Don't work with him as a colleague

Front-end Separation Project reference: s.notestore.cn/shop

encryption and decryption can be transmitted