1

I've created a register form validation on frontend and backend and I am checking both at the frontend and backend: whether the name and surname consist of letters only, whether the password contains numbers, uppercase and lowercase letters, whether the email is correctly saved.

The interface informs about errors. My question is, since I check all the conditions on the frontend, should the backend also send error messages to the frontend?

I mean both frontend and backend check data validation, but should the frontend react to backend error messages? It seems unnecessary for the backend to send information that f.e. the password is too short, since the frontend already does it. The backend should only make sure that f.e. the password length is appropriate.

Second question: should I check on the backend side whether the checkbox regarding acceptance of the website regulations has been selected or whether the password and the repeated password are the same?

some nooby questions
  • 623
  • 7
  • 26
  • 1
    Does this answer your question? https://stackoverflow.com/questions/162159/javascript-client-side-vs-server-side-validation – Pranavan Aug 08 '21 at 14:45
  • 1
    I know that both of frontend and backend need to validate data, but my question is since the frontend is already showing error messages whether the backend should also send information about the same errors to the frontend (this situation will only happen when someone manipulates the code on the frontend)? – some nooby questions Aug 08 '21 at 14:52
  • Yes it is. Anyone can modify the front end code with just opening dev tools. You need to do validation on the backend to minimize the vulnerability. – Pranavan Aug 08 '21 at 14:58
  • 2
    If your site requires JavaScript to work, then handling the backend validation errors well may be needless. However, you must validate on the backend, and you should consider if you'll ever release new validation on the backend independently of the front-end. I'd assume it's relatively low effort to handle it gracefully and so would just implement it. At a minimum implement some kind of catch all handling for if your backend is down or the network request fails. – Michael Aug 08 '21 at 15:02
  • Yes, this is what I meant, thank You @Michael! – some nooby questions Aug 08 '21 at 15:06

1 Answers1

0

First of all, if you don't want to make validation on both frontend and backend, better to leave backend validation then.

Frontend validation mostly used to:

  • make UI more user-friendly and responsible
  • cut requests to backend

if you are doing small pet project it might look as good idea to leave only frontend validation. But as application grows you might face a lot of issues here:

  • new added logic which requires to modify data in your models (without frontend form) won't work, as you can't validate model before save.
  • you will receive form on backend with invalid data (e.g. from customer with disabled/broken JS, or from someone who disabled your validation on purpose)
  • you might miss some validation cases on frontend and will get inconsistent data too

So, it's must have to have backend validation. You might miss some validation on frontend (or skip it if it's not necessary, e.g. for admin panel). But missing backend validation is dead end for scalable apps.

Should I check on the backend side whether the checkbox regarding acceptance of the website regulations has been selected or whether the password and the repeated password are the same?

Yep, better to ensure your data is correct before saving data to DB.

Edit: Ah, I see, so you have backend validation. In this case, it really depends on your app. Better to show some explanation so user won't be confused. But sometimes it makes sense to just show that some error occured on server and leave it be.

Crazy Panda
  • 86
  • 3
  • Thank You, but you misunderstood my question. I know that data need to be validated on both of frontend and backend, but is this necessary to send from backend to frontend a message like f.e. "Hey, your password is too short" when frontend gives for users this information firstly. In my opinion, the backend should only check if the password is the right length and not send any error messages if it appears. Why? Because frontend already did that! I mean: frontend = validation + error informations, backend = just validation. – some nooby questions Aug 08 '21 at 15:02
  • from my experience (6+ years, quite a few projects) we always did it in that way: both frontend and backend validation. Backend should contain all rules, frontend - only basic validation (e.g. we can't validate some ERP rules or relations on frontend). But anyway we still return an array of errors to frontend and display some popup/tooltip/message with errors. So, in my head it always strikes as best way to deal with such kind of issues. Yep, it's a bit overhead and might not work on your project. Especially if you are doing some admin panel or pet project. – Crazy Panda Aug 08 '21 at 18:43