15.2. Server-Side Validation

Web applications work under the client-server model. We have been focusing on the server portion, using ASP.NET Core MVC and C# to create server-side application code. A critical component of any well-made web application is validation, which is the process of checking that data conforms to certain criteria. Validation ensures that the application only stores meaningful data.


Consider a user registration form on a web site. Effective validation rules might require that:

  • The username is between 3 and 12 characters long, and
  • The password is between 6 and 20 characters long.

Web applications should validate all data submitted by users. This ensures that data remains well-structured and unexpected errors don’t occur. Validation that occurs in the browser—using JavaScript or HTML attributes—is client-side validation. Validation that occurs on the web server is server-side validation.

Even if client-side validation is done, it is still critical to validate data on the server. This is because client-side validation can often be bypassed by a savvy user. For example, such a user might modify HTML using a browser’s developer tools, or disable JavaScript.

Server-side validation involves both the model and controller. The model is responsible for defining validation rules, while the controller is responsible for checking validation rules when data is submitted to the server.

15.2.1. Check Your Understanding


The best practice for validating data in a web app is to:

  1. Use client-side validation
  2. Use server-side validation
  3. Use both client-side and server-side validation
  4. Don’t validate incoming data