To what extend should I rely on client-side validation?

Question

I have a lengthy form which heavily uses client-side validation (written in jQuery). To prevent users with disabled JavaScript submitting the form, I have included a hidden

Answer 1

Server side validation is a must, client side validation is to do as much as is practical without the overhead of a round trip to the server.

Answer 2

No. Client side validation is only here for the comfort of the user, not to protect your server.

All client side actions are easy for the user to change.

To protect your server you MUST add server side validation.

Answer 3

To what extent? None. You should never rely on client-side validation at all. Client-side validation is purely for UX purposes.

The true validation is always done on the server.

Answer 4

All of the above answers are valid, I just want to add a couple of points.

Client Side

• Client-side validation can be used to give instantaneous feedback to the user without the need for additional requests to the server (Lower Traffic).

• Client-side validation can be easily bypassed. (Disable JavaScript, Custom HTTP Requests, Access using e.g. CURL)

Server Side

• Can not be bypassed (Unless you've left an exploitable piece of code)

• Good server side validation can prevent potential threats such as XSS, and SQL Injection. (Can lead to obtaining other users data, or break your database)

How I believe this will change

I'm looking forward to further development of the WebSocket protocol and for it to become more widely used.. WebSockets allow for a two way (full duplex) connection, meaning it will be incredibly efficent to validate from the server-side for example every time a key is entered into an input field. Hopefully this approach will do away with client-side validation!