---
title: Always Validate Client Data Server-side
impact: MEDIUM
impactDescription: ensures input validation cannot be bypassed
tags: validation, server-side, input, sanitization, security, csharp
---

## Always Validate Client Data Server-side

Client-side validation is for UX only and can be bypassed. Always validate in your C# Controllers or Services.

**Incorrect (trusting client):**

```csharp
[HttpPost]
public IActionResult Transfer(TransferRequest request)
{
    // trusting that frontend sent valid data
    _service.Transfer(request.Amount, request.ToAccount);
    return Ok();
}
```

**Correct (comprehensive server validation):**

```csharp
// Using FluentValidation
public class TransferRequestValidator : AbstractValidator<TransferRequest>
{
    public TransferRequestValidator()
    {
        RuleFor(x => x.Amount).GreaterThan(0).LessThan(10000);
        RuleFor(x => x.ToAccount).Matches(@"^[A-Z]{2}\d{18}$");
    }
}

[HttpPost]
public IActionResult Transfer(TransferRequest request)
{
    if (!ModelState.IsValid) 
    {
        return BadRequest(ModelState);
    }
    
    // Business validation
    if (!_service.AccountExists(request.ToAccount)) 
    {
        return NotFound("Account not found");
    }

    _service.Transfer(request.Amount, request.ToAccount);
    return Ok();
}
```

**Tools:** FluentValidation, DataAnnotations, SonarQube