Frontends of most modern applications are not built using server-side web application frameworks, such as Spring MVC, Java Server Faces (JSF), and so on. Infact, many are built using full-fledged client-side frameworks, such as React (to be full-fledged, it has to be combined with other libraries), Angular, and so on. The previous statement doesn't mean in any way that there is no place for such server-side web application frameworks. According to the application you are building, there are specific places for each of these frameworks.

When using client-side frameworks, the client code (HTML, JS, CSS, and so on) in general is not secured. However, the data required to render these dynamic pages is secured behind a RESTful endpoint.

To secure a RESTful backend, the JWT is used to exchange claims between the server and the client. The JWT enables the stateless exchange of tokens between the two parties and takes away the burden of session management (no more sticky sessions or session replication between multiple server nodes) by the server. This enables the application to scale horizontally in a cost-effective manner: