Anything interactive, anything that processes information is done by server-side code, which takes information from what you enter into forms, like a log in, or a profile update, to return with the information you requested, such as your updated profile. That journey from your browser back to the server is encrypted and then sanitised (hopefully) so you cannot send anything malicious. This code sits on the server, and should never be accessible.

It is my job to make it inaccessible to you.

All you can steal, apart from gaining actual access to a server, is the front-end code, which the server sends back to make your browser do what we want it to do. Which is just HTML and CSS and JavaScript and for the most part only operates in the browser.

To complicate matters, there is most often JavaScript running in your browser that talks to the server through Ajax and WebSocket connections, and can perform similar request processing without actually submitting the page back to the server (what happens when you press send on a form). It's utilities like that that do things like autocomplete on search functions. Or live updates on your profile.

The best metaphor is the spinning arrow on your browser tab. When you submit a form in Chrome, it spins anti-clockwise while the request travels to the server. It then gets the processed information, and starts spinning in the other direction as it returns with the processed data.

I'm still amazed though when I meet developers who fail to grasp the difference between the front and back end. And yes, it does happen.

It's not real, it is an impediment to the movement of their tongue which affects their speech. If you want proof, just check with reality.