[security]Is it possible to bypass a disabled button?

As far as I know, disabling a button in a web page doesn’t mean user cannot take that action, because hacker can still make a “fake” HTTP request if he knows how to do it. I wonder if Vaadin has anything to deal with this?

For Vaadin 7, 8 and 10 when using Flow, Vaadin deals with this out of the box. The framework knows server-side that a button is disabled, and will not accept any interaction coming from the client. So an attacker can try faking requests all they want, the server will not react to them.