Reputation: 351
Where in the MEAN stack should validation rules be created?
I'm creating an application using the MEAN stack, which has a lot of form data entry that is persisted to the database from both authenticated and anonymous users.
Where in the stack should I create all my validation rules? Should they be in AngularJS? But I would like my server side API to be secure, so perhaps they should be in Express and then get bubbled up to AngularJS? Or should they be all the way down at the MongoDB layer (I'll be using using Mongoose, so it's easy to create validation there).
Currently I have them spread all over, and am finding myself duplicating rules. I'd like to avoid that and create the rules in one place. So what are the general rules for defining validation in a MVW application, and which layer is it best to have them at (especially for a MEAN application)?
Upvotes: 1
Views: 309
Answers (1)
Reputation: 2277
As per the OWASP recommendation
Where to include validation Validation must be performed on every tier. However, validation should be performed as per the function of the server executing the code. For example, the web / presentation tier should validate for web related issues, persistence layers should validate for persistence issues such as SQL / HQL injection, directory lookups should check for LDAP injection, and so on.
You need to validate everywhere.
In the Angular part you validate an issue on the client side without going all the way back to server, so, you should prevent this kind of issues sooner.
On express, you need to validate, since you cannot trust your front end.
On the Mongo, you need to validate access, permissions, data to be inserted, etc.
Why should you validate?
The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data.
From the same source:
https://www.owasp.org/index.php/Data_Validation
Upvotes: 3
Related Questions
- Minimum and maximum number validation in mongoose
- Mongoose vs MongoDB validation
- What is the correct way to make Validators with Mongoose
- Validation in MEAN stack .....?
- How should I approach my back end design using the MEAN stack?
- What is the best way to implement permission levels in the MEAN stack?
- mean stack authentication - best practice
- how to validate dynamic key of mongoose schema
- MEAN stack database issue with angular
- Where to validate in Express.js project – Validation at the database layer (re. Mongoose)?