This note is the result of research on where and why you should do form validations: on Backend, Frontend or both.
The best summary you can find:
The people saying to do it on both sides are correct, but there's a bit of nuance here.
You HAVE to do it on the back end for security purposes. That's really the key consideration. You can't ever trust what's coming from the client. Period, end of story. It can ALWAYS be hacked, that's how you have to treat it.
Doing it on the client-side is about user experience (and efficient resource utilization). Why incur the round-trip of a request to the server and back just to tell the user they typed the email address wrong? It's much faster to do that check on the client and provide more immediate feedback, and it keeps that load off your server. But, all that said, you never HAVE to do it in the client-side. You may decide your expected traffic isn't going to be large enough to really care, and you may decide the delay of calling the server is so minor that you don't care. I'd argue those are never the best choices, but since this isn't about security, it is, frankly, less critical.
So yes, do it on both sides, but you do it on each side for different reasons, that's the nuance.
More on form validation:
- https://www.packetlabs.net/posts/input-validation/
- https://www.quora.com/Where-should-I-implement-my-form-validation-on-the-front-end-or-on-the-back-end-Does-the-complexity-or-the-sensitivity-of-the-data-matter/answer/Marcus-Fernstr%C3%B6m
- https://developer.mozilla.org/en-US/docs/Learn/Forms/Form_validation
- https://developer.mozilla.org/en-US/docs/Learn/Forms/Sending_and_retrieving_form_data#be_paranoid_never_trust_your_users
- https://www.w3.org/WAI/tutorials/forms/validation/#client-side-validation-benefits
- https://www.nngroup.com/articles/errors-forms-design-guidelines/
- https://rei.github.io/rei-cedar-docs/patterns/form-validation/