Yeah but in my case thats not the case. The client does all the calculations as the server is simply a webserver with a database, nothing more. No application running. But the client is limited in doing stuff by the data set in the database. The client constantly needs to peek in the database if his actions are valid or not. Is it then still safe?