I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
You can enable validation built into the HTML standard, or use libraries like jQuery Validation, for the client. Checking the input before it is sent to the server can be a lifesaver, and will save you from having to validate on the server - not to mention the roundtrip back to the server.
Will not be a lifesaver, it will be a suicide.
You cannot trust in any data that comes from outside your server.
WHY?
Because the backend is not able to distinguish genuine requests made by your genuine app, from requests made from a script, or a tool like Postman.
Serial podcast creator and .NET Core maniac.
Can often be found talking about everything and nothing on one of the many podcasts that he produces (only one of them is about .NET Core, honest)
Location
Leeds, UK
Education
Computer Science with Games Development - BSc
Work
.NET Development Contractor; Podcast host, producer and editor
I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
Client: is the application making the request to the server. This can be a web app, a mobile app, a script, or a tool like Postman.
The server cannot trust data from the client, but if you only do validation in the client side, your web app, then your server is trusting in client data.
For me the message you are passing is that once you validate the data the user inputs on the client side, then the server doesn't necessarily need to check it again, and this his why I said that is a suicide.
Serial podcast creator and .NET Core maniac.
Can often be found talking about everything and nothing on one of the many podcasts that he produces (only one of them is about .NET Core, honest)
Location
Leeds, UK
Education
Computer Science with Games Development - BSc
Work
.NET Development Contractor; Podcast host, producer and editor
It's interesting that you thought that, because the next paragraph goes on to say that you should use server side validation. And the paragraph after that talks about database side validation.
I may have to revise my statement so that it's clear that you should use all three.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Will not be a lifesaver, it will be a suicide.
You cannot trust in any data that comes from outside your server.
WHY?
Because the backend is not able to distinguish genuine requests made by your genuine app, from requests made from a script, or a tool like Postman.
Exactly this.
NEVER trust data from the client.
Client: is the application making the request to the server. This can be a web app, a mobile app, a script, or a tool like Postman.
The server cannot trust data from the client, but if you only do validation in the client side, your web app, then your server is trusting in client data.
For me the message you are passing is that once you validate the data the user inputs on the client side, then the server doesn't necessarily need to check it again, and this his why I said that is a suicide.
It's interesting that you thought that, because the next paragraph goes on to say that you should use server side validation. And the paragraph after that talks about database side validation.
I may have to revise my statement so that it's clear that you should use all three.