My approach is to authenticate on the server side before returning sensitive data. That is, I assume that the user can make the client-side interface do anything they want if they are clever enough (e.g., change flags, visit pages, etc…); however, I control what is returned from the servers.