The only answer is both, for the simple reason your server can't trust anything it's receiving and the client needs to make sure it adheres to the constraints set by the contract (API, Websocket, GraphQL etc.)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The only answer is both, for the simple reason your server can't trust anything it's receiving and the client needs to make sure it adheres to the constraints set by the contract (API, Websocket, GraphQL etc.)