Whose responsibility is it to check data validity?

language-agnostic

Solution 1:

Both consumer side(client) and provider side(API) validation.

Clients should do it because it means a better experience. For example, why do a network round trip just to be told that you've got one bad text field?

Providers should do it because they should never trust clients (e.g. XSS and man in the middle attacks). How do you know the request wasn't intercepted? Validate everything.

There are several levels of valid:

  1. All required fields present, correct formats. This is what the client validates.
  2. # 1 plus valid relationships between fields (e.g. if X is present then Y is required).
  3. # 1 plus # 2 plus business valid: meets all business rules for proper processing.

Only the provider side can do #2 and #3.

Solution 2:

For an API the callee should always do proper validation and throw a descriptive exception for invalid data.

For any client with IO overhead client should do basic validation as well...

Related

Why is "close existing connections to destination database" grayed out on SQL Server 2012 Management Studio?
How to stop lodash.js _.each loop?
Arrow function "expression expected" syntax error
Typescript Array Map Return Object
Is there a way to print a console message with Flutter?
what is the difference between a view model and a data transfer object?
Ruby: convert string to date
Rails ActiveSupport: How to assert that an error is raised?
$K[X]$-modules are $K$-vector spaces with a linear transformation
why scalar projection does not yield coordinates?
How do I calculate the value of this series?
Why do reciprocal functions work for undefined values?