Why is client-side validation not enough?
A user can bypass it with curl, Postman, or a custom client. Client validation improves UX (instant feedback); server validation is for security. Always validate on the server, no matter what the client does.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Common Validation Mistakes in Express (and How to Fix Them)
No validation at all, only validating the body (forgetting params and query), not replacing req.body with parsed data, no type coercion, validating in controllers (duplication), validating too late, generic error messages, not handling Mongoose ValidationErrors, no runValidators on updates, and trusting client-side validation.
Invalid params (e.g., a non-24-char ObjectId) crash Mongoose. Invalid query (e.g., a non-numeric skip) breaks pagination. Validate all three with separate factories: validate, validateParams, validateQuery.
Because Zod coerces types (string to number, defaults, transforms). If you keep the original req.body, downstream code uses uncoerced strings. Replace req.body = result.data so the handler sees the parsed, coerced data.
Still have questions?
Browse all our FAQs or reach out to our support team
