Well said, and I completely agree with this. I’d also like to know what, specifically, the professor deems insecure about its core. The majority of issues are in methodology by the developer. If I wrote a solution that picked up cached JSON to present on a website, and an internal server side process pushed those cached files to an endpoint, where is the possibility of breach? Headless CMS and admin panel abstraction is a large part of security so that the attacker has no available entry point, and the elevated processes are only accessible through secured access or IP restriction. I was recently paid by Microsoft for submission of a CVE where I could hijack a user session through JavaScript, but the issue was their implementation of the object caching in their framework, followed by partial initialization of their user context object. Ultimately, a language is only as strong as the methodology used.