Wednesday, July 6, 2011

Why client-side verification is bad..

Words with bastards

As a programmer, you should really know that you can't trust anything you put in the hands of someone else. If you're writing a web, mobile or desktop application that talks to your server, you can't trust that someone won't subvert the local software. As such, you can't rely on it to do authentication or parameter verification. (As noted in the comments below, it's not a sin to perform checks on the client side -- just don't *trust* that they were performed.)

A common mistake is the web site that relies on javascript to ensure a form is filled in correctly, but which then doesn't re-validate the results on the server, in case the javascript was bypassed. However the problem extends to mobile or desktop applications that communicate with a remote server.

I recently looked into Zynga's "Words with friends" mobile application, and to my surprise discovered that it did client-side verification of the words you are playing.

It wasn't very hard to circumvent this, resulting in a version which accepts moves like the above one..


  1. I do not agree, almost. If your post said, relying solely on client-side verification is bad, I would agree. But almost all good developers know that client-side and server-side validation should go hand in hand. Client-side verification has the benefit of being more quick and user friendly since no post to the server is required, hence no waiting time is imposed to the user, making the user experience more enjoyable. However, we cannot rely solely on client-side validation, of course... Doing it is a wrong strategy. But like I said before, almost every (well-developed) application has both validation strategies...

  2. I agree with you.. It's not wrong to use client-side methods to do initial validation, but it's wrong to *trust* that validation on the server side.

    I probably wasn't very clear on my feelings though.

  3. Client Side validation is mainly a commodity... It helps the user input the correct data and so on, but should not be called "validation" at all. As stated on , always perform correct validation server side, otherwise you would be offering easy roots to "unscrupulous" people...

  4. Client-side validation should be seen as a presentation issue. It can allow a user to see the errors a server is going to return, before they've even submitted the page. It is quite bad in practice as many people forget to test for the case that it isn't working, or is deliberately avoided.

    A truly stunning example was on HackerNews a while ago: (view the source to see it).

  5. Just imagining the look of WTF to have washed over elizamatic's face is, in itself, satisfying.

    Also, sadly, the OpenID stuff attached to this comment form seems to be broken. :(