Input Validation

Input validation is the practice of verifying that data from users, forms, or external sources is safe and correctly formatted before your application processes it. Without validation, a missing field can crash your server, a malformed email can corrupt your database, and a script tag can enable a cross-site scripting (XSS) attack.

Validation happens on both sides: client-side (instant feedback in the browser using libraries like Zod or Yup) and server-side (mandatory, because client checks can be bypassed). The server should never trust data from the client without re-validating it.

For vibe coders, AI is good at generating validation schemas from descriptions ("validate that email is required, password is at least 8 characters, and age is a positive number"). The key judgment call is knowing what to validate and where. Always validate at the boundary between your system and the outside world.