It is. And since you are a backend freak you should probably use AJAX calling a responsive secure server-side application (like Java/Python/etc.).
Then your game state is as secure as your server/server-side code is.
Our (rough) architecture looks like this:
User Browsers ---> Gateway Server ----> Client-side Server generation code
----> Client Side files
----> Core components
----> Security Library
----> In-memory data cache ----> Database
I have a lot of Java servlets that mediate all of our game state, security, data caching/database, etc. Then I communicate to the C2 client either by direct variable injection using input TextBox tags or AJAX via our API.
Company name changed to avoid Facebook-type shenanigans
"Someone once told me I bite off more than I can chew...
I told them I would rather choke on greatness than nibble on mediocrity."