Need of server side validation when javascript is made mandatory?

Question

I understand that Javascript can be disabled by users.

I am developing a web app where whenever user submits a form (along with client-side validations) a hidden field is modified by using javascript and this is checked on server side to see if js is disabled by the user. In case js is disabled the user is notified to enable javascript.

1. Do I need to validate the inputs again on the server side ? (if yes then why?)
2. Is there a way to get around the client-side validations in this case?
3. Similarly in case of ajax-based login do we need to check the user credentials again on the server side?

Answer 1

Do I need to validate the inputs again on the server side?

Yes. Always. Don't be lazy. There's no guarantee that requests are even coming from a browser, let alone one with JavaScript enabled. Browsers are hardly the only ways to make HTTP requests, and HTTP servers – by definition – serve HTTP clients, not just browsers. Validation exists to protect you, your systems, your precious data, and other users of your system. Relying on client-side validation assumes cooperative, non-malicious clients, but the whole point of validation is to provide protection from uncooperative or malicious clients.

Is there a way to get around the client-side validations in this case?

Of course. The request could be "manually" constructed in a way that fools the server into thinking the hidden field was manipulated with JavaScript, thus fooling your server into thinking that JS is enabled. Hidden fields do nothing for security; they are trivial to manipulate.

Answer 2

You need to validate the inputs again on the server side. Don't trust any inputs from clients. Because they can POST any data without your form.

Client validation is just for UX.

Answer 3

You should never trust any client input and always validate on server.
Client validation is just for user convenience.