Security should always be implemented on the backend services where the data resides. That is the only safe place to implement security layer.
Clients can be developed independently of the REST services using mock data. REST services can likewise be developed independently of the client.
Simple example about routing and vars through the url.
Protractor is a Node.js-based framework, just like Karma.
Karma is a test runner based on Node.js.