How can you choose between client-side and server-side validation for web security?

Client-side validation is like checking your homework on your own, before submitting it to the teacher. You use a script or a formula to make sure your answers are correct and complete, and you get instant feedback if you make a mistake. This can help you improve your homework, save time for the teacher, and avoid unnecessary corrections. However, client-side validation is not reliable, as you can cheat, change, or skip the checking process if you want to. Therefore, client-side validation should not be used for important or confidential homework, such as exams, essays, or personal projects.

Both client-side and server-side validations are necessary. For instance, when submitting a form with a mobile field, on the client side, the field might be set as a number or tel type to ensure proper input. However, it's crucial to recognize that if someone attempts to access the backend API and tries to modify the input type, it could potentially impact the data. This highlights the importance of server-side validation to check and enforce that only numbers are allowed for that particular field.

Client-side validation is assisting the user to complete their task without errors or mistakes preemptively. It is not intended to be the source of enforcement of system or business rules (though it may warn or prevent the user from submitting). Its goal is to protect the user and provide better UX.

Imagine going through a form with over 10 input fields that you have to fill, then after submiting the form you are told there is an error and you have to refill the form again, Client side helps reduce these by validating the data before its even posted to the server side for processing. At the same time you have others who are experiemental and want to alter your code through inspect element. Now someone is posting a name on an number field. Server side helps validate the input again before trying to process the data to reduce any errors or attacks that might occur

Undoubtedly both are necessary. Client-side validations help in better user experience and guide the user to go through the process in an efficient manner. Whereas on the other side server side validations ensures that data being processed is accurate and less prone to to break the system in next level processing. In an API driven architecture, it has become the utmost important aspect of any system design. HTH.

Server-side validation is like asking the teacher to check your homework, after submitting it to them. You use a language or a program to make sure your answers are correct and complete, and you get feedback from the teacher if you make a mistake. This can help you protect your homework, avoid cheating, and access more resources. However, server-side validation can also have some challenges, such as making the teacher busy, waiting for the feedback, and using more paper or internet. Therefore, server-side validation should be used for important or complicated homework, such as database queries, business logic, or authentication.

En el cliente no hay secretos. En el lado del servidor, sí. La validación en el server es la puerta del sótano de la seguridad de tu aplicación web. Nada que consideremos incorrecto debe pasar a nuestra base de datos o sistemas de notificaciones del lado del servidor. Los usuarios no son malos, pero si hay que ponerse en "lo peor". Es esencial tratar todas las entradas del cliente como potencialmente maliciosas y validarlas adecuadamente en el servidor antes de procesarlas.

Server-side validation is the enforcement of system and business rules. It is intended to prevent certain data or actions that would compromise the system. It may require querying other facets of the system to perform the validation. Because servers can receive requests that did not originate in the client app, it must treat all requests as suspect and needing full validation. It may also require that certain protocols like https are used by the connecting client.

Server side validation is very important to make sure that no one specially hackers and other devs break your app by inserting non logical data, because it's very easy to bypass frontend validation by sending direct api requests directly to the api endpoint.

Server-side validation refers to the process of validating user input on the server before processing or storing it. It is an important security measure that ensures the integrity, consistency, and safety of data received from the client. When a user submits a form or sends data to the server, server-side validation checks whether the input conforms to the specified rules and constraints defined by the application. This validation process typically involves verifying the data against predefined criteria such as data types, length limits, format requirements, and business rules. Server-side validation is performed on the server using server-side programming languages like PHP, Python, Java, or ASP.NET.

Ultimately, the choice between client-side and server-side validation depends on the specific requirements of your web application, the importance of security, and the user experience you aim to provide. A thoughtful approach that combines both methods where necessary can help achieve the best results.

You can choose to not have client-side validation, as that is merely a convenience for the user. It provides a better experience than having to wait for a full page reload, only to find you’ve missed something. You should not choose to not have server-side validation, because client-side validation cannot be trusted. There’s always some way it can be bypassed, so it’s not worth the effort trying to harden it. Server-side validation should be the authoritative point of validation, where you make sure everything is valid. Some validations cannot be reasonably executed on the client-side, and in those cases it might be best to leave them for the server-side. Think of uniqueness constraints or file validations.

From my experience, doing both will be the best. I had a scenario where someone could bypass your client-side validation, but the server-side will be useful in this case.

It's not a choice we have to use a combination of both client-side and server-side validations to create a robust system. Client-side validation provides a responsive and efficient user experience, reducing the load on the server, while server-side validation acts as the final line of defense, handling all validations to maintain data accuracy, security, and overall system integrity. Balancing these two aspects ensures a smooth user experience without compromising on security and data integrity

Client side validation is more for better ui/ux perspective. True validation takes place server side only. Besides if the server keeps serving multiple clients (mobile, web, desktop etc), then having consistent server side validation is common sense.

Modern component architectures make it easier to integrate client-side validation into your components and actions. Thing of it has supplementing the capability of your existing frontend pieces.

Client-side validation can be implemented in two ways. HTML form validation (using the 'required', 'maxlength', and other attributes) or using JavaScript validation functions or event listeners.

Según mi experiencia la primera barrera se puede hacer simplemente con HTML. El atributo "pattern" por ejemplo me ayudó a validar un campo de precio que solo debía admitir números, un punto y una coma (ej: "[0-9,.]*"). Si quieres dar otro salto te será de ayuda utilizar librerías de validación. Si no usas ningún framework validarium puede ser un buen punto de partida. Pero casi siempre tenderás a usar React, Vue, Angular y otros frameworks de JavaScript que te permitirán controlar estados de forma más compleja.

The client side validation can be implemented in many ways : => Html form (that describes types of data needs to be entered like number, date, text etc.) => Javascript form validation that can trigger / alert message to user who is submitting the form and notify which input is wrong. =>Adding Event Listeners that can detect changes on input fields, for example "password should be ... length" or REGULAR expression to detected types of combination required for password.

To implеmеnt cliеnt-sidе validation, you havе sеvеral options. You can usе HTML attributеs likе "rеquirеd" and "pattеrn" to sеt basic rulеs for form fiеlds. JavaScript functions triggеrеd by еvеnts likе "onsubmit," "onchangе," or "onblur" can providе custom validation logic and usеr fееdback. Altеrnativеly, you can еmploy еxtеrnal librariеs such as jQuеry, Bootstrap, or Angular, which offеr prе-built or customizablе validation fеaturеs to simplify thе procеss. Thеsе librariеs еnhancе validation capabilitiеs and improvе thе usеr еxpеriеncе.

One option to improve the validation in some situations is adopt the async way, if we consider the validations will fill this requirement. For example, depending on the process validation could be an alternative, process in async way and after send an report of results to the user.

Server-side validation involves receiving user input and sanitizing it to remove any potentially harmful content such as SQL injection and cross-site scripting. The input should be validated and any validation errors should be handled before responding to the client.

Ways to implement validation in server: -> validation of inputs : validation checks needs to be added before storing them to the database. -> Sanitization of data and validation of data : Sanitization acts as a protective measure, ensuring that the data remains void of potential malicious characters, such as those used in SQL injection or XSS attacks. On the other hand, validation serves the purpose of confirming that the data aligns with the anticipated format and meets the necessary requisites.

Better practice is to implement a cryptography protocol to validate at server side. Encrypt & decrypt the data using a unique key for validation. Complexity of the protocol depends on the method & the complexity of the unique key.

One mistake I see devs making a lot is trusting the body or query parameters of the request. You can trust the url path so any id associated with the request must be passed this way, and not through the query params or request body.

You should not rely on client side validation, it's very easy to be bypassed by a lot of methods, turning off Javascript, manipulating Java script in the browser, or directly reaching the api endpoint, backend validation is very important.

During my support at social security and protection organization, the payment button at client-side had validation to check upper limit of payment threshold , but javascript as frontend is not good at handling the calculation of numbers, i.e. 1.2+1.5 works but 0.1+0.2 is weird. So, because of these reason, the insurance threshold amount was bypassed from client-side and also due to not having validation at server-side the issue caused lot of problem for the organization. Final takeway for both client & server validation is that, even if client-side validation is present (it could be potentially modified) but server-side cannot be so, i ensure both side needs a validation.

Client-side validation is vulnerable to manipulation by malicious users who can disable or modify JavaScript, or use other client-side tools to bypass the validation. Server-side validation is more secure because it occurs on the server, which the user has less control over. It is less susceptible to tampering or bypassing by malicious actors. In most cases, it's advisable to use a combination of client-side and server-side validation. Start with client-side validation for a better user experience and immediate feedback, but always complement it with server-side validation to ensure security and data integrity. Make sure to prioritize server-side validation for critical operations and sensitive data.

Perform threat modelling to identify potential vulnerabilities and assess the risk associated with client-side and server-side validation.