Relying solely on client-side validation should be strictly avoided. It is not a reliable approach as skilled users can easily manipulate the client-side code to bypass the validation rules. Let’s examine example to illustrate this point.
In our scenario, we have an ASP.net Razor-page application with login form. The form utilizes bind property attributes in the code-behind to bind the form values to attributes. We have defined various validation attributes such as Required and Min-length. ASP.net Core simplifies our task by automatically generating the necessary JavasScript code for validation when we use the JQuery Unobtrusive Validation library.
In the current implementation, the form submission does not include the authentication step. If the form is successfully submitted, It redirects to the Privacy page. Let’s observe what happens when we interact with the form.
When we attempt to submit the form, we notice that the Unobtrusive library automatically prevents the form submission.
However, as a skilled user, we understand that any client-side validation can by bypassed. It is a straightforward process. By opening the browser’s developer tool (using F12 key), accessing the “form” in the “elements“, navigating to “event listeners“, specifically the “submit” event, we can remove the form-submit-handler.
Once this modification is made, subsequent form submissions no longer undergo validation, and we are redirected to the next Privacy-policy page.
This example clearly demonstrates how easily client-side validation can be circumvented unless robust server-side protection is in place. To illustrate the significance of server-side validation in addition to client-side validation, let’s enable server-side protection and repeat the experiment.
After enabling server-side protection and relaunching the application, we revisit the same page and attempt the previous steps. We remove the event handler and submit the form again.
This time, the correct validation messages are displayed and the validation Javascript library is automatically bound to the Form’s submit event again by the server-side rendering, the we are prevented form accessing the next Privacy screen. This effectively showcases the ease of setting up client and server-side validation with ASP.net core and emphasizes the importance of performing server-side validation alongside client-side validation.
To ensure comprehensive validation, it is crucial always to validate on the server-side. Clien-side as an initial layer, but it must be reinforced by robust server-side validation to maintain the integrity and security of the application.
