From the server-side perspective, an extension to the "never trust the user input" rule of thumb is to never trust what the client-side sends you. With some knowledge of browser inspect tools (or tools like curl) people can easily tweak what the browser sends you, go around client-side validations and even add unexpected fields to the request.

So, security-wise server validations are very important. I would also add them on the client-side, but mostly to improve user experience - although they may also be useful if you have a lot of logic on the front-end and need to do things with the data the user gives you before sending it to the server 👍

TLDR: use both! ✌️

Server-side at two levels

• REST API itself
• Database, via ORM / ODM

Client side? Although I don't often allow text inputs, I actually apply validation as well as defensive programming quite often (I don't trust TypeScript). Also, if I allow user to input markdown, there will be DOMPurify.

And as Manolo said, text inputs need UI feedback, if it won't work anyway.

Clientside for helpful error messages for the user and then serverside to just check it is right or wrong. I tend to give pretty generically named/labelled errors back from the server in case somebody is trying to find a vulnerability. Yes, there is often duplication but a necessary evil to make sure your application is both secure and user friendly.❤️

just a reminder: curl is a thing

I usually use both, front-end for feedback mostly, and to avoid unnecesary requests to the server.
And I go with the actual heavy validation on the server.

Give him feedback kindly 🎈, but validate its input harshly 🪓

From My point of view...

I use Server Side Validation for Sensitive Forms like Sigin/Signup or Payment form

And Client side for
Comment's, leave a review or etc etc...

Why Server Side

Server side can't be broken easily, a experienced guy can deal with client side or broke Curl (Reminder)... whatever I am not much known of it...

I feel more safe using Server Side🎉🎉

Cheers to Server Side Validation 🎉

Both, client-side for UX, so the user gets direct feedback. And server-side to really validate/verify the data and prevent errors.

At least the API should have validation or users will exploit it sooner or later.

Yes.

Both. Always.

Client-side: Do it early and do it with usability. (e.g) Phone number field has the right format depending on the country and area code.

Server-side. Do it ALWAYS. Never trust the client. Client could be a browser, mobile app, or API client. For the phone number provided, validate for format but more importantly check against blocked number database, spam numbers or send an OTP - whatever the biz logic is.

The only answer is both, for the simple reason your server can't trust anything it's receiving and the client needs to make sure it adheres to the constraints set by the contract (API, Websocket, GraphQL etc.)

It is very simple. As you already have decoupled client and server you have 2 edges in your system. The only correct answer would be both.

• you want your client to provide valid data to the backend + direct feedback to users.
• you want your backend to only accept valid data as you probably want to prevent any sort of intrusion (Remote Code Execution, Injection etc.).

You can test both modules separately and more important if someone else connects to the backend (either legit or not) your data processing is always clear.

I agree to both. You want client side so that you don't have to make a post to your server if you don't have to, as well server, in case there is either an injection hack or the client side code doesn't work correctly (how much code doesn't work, or works different in internet explorer)

Well, actually Both.

Why not, only Server-side???

• It will be slower and not realtime
• Every time requesting the server will be an overhead for the server.

Why not, only Client-side???

• Browsers can be set to disable Validations.
• Scripts can be manipulated in the browser.