Server-Side Validation

Web applications work under the client-server model. We have been focusing on the server portion, using ASP.NET Core MVC and C# to create server-side application code. A critical component of any well-made web application is validation, which is the process of checking that data conforms to certain criteria. Validation ensures that the application only stores meaningful data.


Consider a user registration form on a web site. Effective validation rules might require that:

  • The username is between 3 and 12 characters long, and
  • The password is between 6 and 20 characters long.

Web applications should validate all data submitted by users. This ensures that data remains well-structured and unexpected errors don’t occur. Validation that occurs in the browser—using JavaScript or HTML attributes—is client-side validation. Validation that occurs on the web server is server-side validation.

Even if client-side validation is done, it is still critical to validate data on the server. This is because client-side validation can often be bypassed by a savvy user. For example, such a user might modify HTML using a browser’s developer tools, or disable JavaScript.

Server-side validation involves both the model and controller.

  • The model is responsible for defining validation rules.
  • The controller is responsible for checking validation rules when data is submitted to the server.

Check Your Understanding


The best practice for validating data in a web app is to:

  1. Use client-side validation
  2. Use server-side validation
  3. Use both client-side and server-side validation
  4. Don’t validate incoming data