Hi, this is a general question regarding securing around an SPA. I have a React app that I've secured using okta with the Authentication Code + PKCE code flow. 

The user first loads the SPA, then is redirected to the Okta home page to login. That's all fine, but this means the user receives all the frontend React app code. This would include any pages that were created in React, right? 

Most of the data lives behind a RESTful server, which is fetched via requests. The endpoints are secured by token validation.  However, there are some pages that are written on the React frontend (with JSX). Should I move this HTML to the backend and secure them? Or is there a way to lock down the React app before authentication occurs?

Hopefully my concerns here make sense - thanks for your help!