👋 Web developer, working with Ruby on Rails and React at UNION. Built an iOS app once.
Ruby Mentor at exercism.io ✨
❤️ inclusive teams, code maintainability, testing, learning, teaching
From the server-side perspective, an extension to the "never trust the user input" rule of thumb is to never trust what the client-side sends you. With some knowledge of browser inspect tools (or tools like curl) people can easily tweak what the browser sends you, go around client-side validations and even add unexpected fields to the request.
So, security-wise server validations are very important. I would also add them on the client-side, but mostly to improve user experience - although they may also be useful if you have a lot of logic on the front-end and need to do things with the data the user gives you before sending it to the server 👍
Absolutely, the challenge then becomes how to avoid coding (and maintaining) your validations twice, especially if you're not using the same programming language on the server as on the client. There are solutions for this, but TBH for this reason I often do server side validation only. Doing only client side validation isn't safe, obviously.
From the server-side perspective, an extension to the "never trust the user input" rule of thumb is to never trust what the client-side sends you. With some knowledge of browser inspect tools (or tools like
curl) people can easily tweak what the browser sends you, go around client-side validations and even add unexpected fields to the request.So, security-wise server validations are very important. I would also add them on the client-side, but mostly to improve user experience - although they may also be useful if you have a lot of logic on the front-end and need to do things with the data the user gives you before sending it to the server 👍
TLDR: use both! ✌️
Absolutely, the challenge then becomes how to avoid coding (and maintaining) your validations twice, especially if you're not using the same programming language on the server as on the client. There are solutions for this, but TBH for this reason I often do server side validation only. Doing only client side validation isn't safe, obviously.
Generating
swaggeroropenapifile (*.json/*.yaml) and use it in the client seems to be the closest way I know.Yeah true, Swagger would be helpful
I like the idea of validating on both sides honestly.