[{"data":1,"prerenderedAt":282},["ShallowReactive",2],{"blog-glossary/validation":3},{"id":4,"title":5,"body":6,"category":257,"date":258,"dateModified":258,"description":259,"draft":260,"extension":261,"faq":262,"featured":260,"headerVariant":266,"image":267,"keywords":267,"meta":268,"navigation":269,"ogDescription":270,"ogTitle":271,"path":272,"readTime":273,"schemaOrg":274,"schemaType":275,"seo":276,"sitemap":277,"stem":278,"tags":279,"twitterCard":280,"__hash__":281},"blog/blog/glossary/validation.md","What is Input Validation? Security Best Practices",{"type":7,"value":8,"toc":247},"minimark",[9,16,21,24,28,74,78,95,99,155,164,168,194,216,235],[10,11,12],"tldr",{},[13,14,15],"p",{},"Input validation checks that user data matches expected formats before processing. Is the email valid? Is the number within range? Is the required field present? Validation rejects bad input early, preventing bugs and security issues. Always validate on the server. Use libraries like Zod or Yup to define and enforce schemas.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"Users submit data through forms, URLs, and APIs. Some data is mistakes (typos), some is malicious (attacks). Validation is your first check: \"Does this look like what I expect?\" If not, reject it immediately. Don't try to process or fix bad data.",[17,25,27],{"id":26},"what-to-validate","What to Validate",[29,30,31,39,45,51,57,68],"ul",{},[32,33,34,38],"li",{},[35,36,37],"strong",{},"Type:"," Is it a string, number, boolean, array?",[32,40,41,44],{},[35,42,43],{},"Format:"," Valid email? Valid URL? UUID format?",[32,46,47,50],{},[35,48,49],{},"Length:"," Min and max character limits",[32,52,53,56],{},[35,54,55],{},"Range:"," Number between 1 and 100?",[32,58,59,62,63,67],{},[35,60,61],{},"Allowed values:"," One of ",[64,65,66],"span",{},"pending, approved, rejected","?",[32,69,70,73],{},[35,71,72],{},"Required:"," Is this field present?",[17,75,77],{"id":76},"validation-with-zod","Validation with Zod",[79,80,82,85,92],"prompt-box",{"title":81},"Schema validation example",[13,83,84],{},"import { z } from 'zod';",[13,86,87,88,91],{},"const userSchema = z.object({\nemail: z.string().email(),\nname: z.string().min(1).max(100),\nage: z.number().min(0).max(150).optional(),\nrole: z.enum(",[64,89,90],{},"'user', 'admin'",")\n});",[13,93,94],{},"// In your API handler\nconst result = userSchema.safeParse(req.body);\nif (!result.success) {\nreturn res.status(400).json({ errors: result.error.issues });\n}\n// result.data is now typed and validated",[17,96,98],{"id":97},"client-vs-server-validation","Client vs Server Validation",[100,101,102,118],"table",{},[103,104,105],"thead",{},[106,107,108,112,115],"tr",{},[109,110,111],"th",{},"Aspect",[109,113,114],{},"Client-Side",[109,116,117],{},"Server-Side",[119,120,121,133,144],"tbody",{},[106,122,123,127,130],{},[124,125,126],"td",{},"Purpose",[124,128,129],{},"User experience",[124,131,132],{},"Security",[106,134,135,138,141],{},[124,136,137],{},"Can be bypassed",[124,139,140],{},"Yes, easily",[124,142,143],{},"No (if done right)",[106,145,146,149,152],{},[124,147,148],{},"When to use",[124,150,151],{},"For immediate feedback",[124,153,154],{},"Always, mandatory",[156,157,158],"warning-box",{},[13,159,160,163],{},[35,161,162],{},"Never trust client-side validation alone."," Attackers can disable JavaScript, modify requests, or call your API directly. Server-side validation is your security boundary.",[17,165,167],{"id":166},"validation-libraries","Validation Libraries",[29,169,170,176,182,188],{},[32,171,172,175],{},[35,173,174],{},"Zod:"," TypeScript-first, excellent DX",[32,177,178,181],{},[35,179,180],{},"Yup:"," Popular, works well with Formik",[32,183,184,187],{},[35,185,186],{},"Joi:"," Mature, extensive features",[32,189,190,193],{},[35,191,192],{},"Valibot:"," Lightweight alternative to Zod",[195,196,197,204,210],"faq-section",{},[198,199,201],"faq-item",{"question":200},"Should I validate on the client or server?",[13,202,203],{},"Always validate on the server. Client-side validation can be bypassed by attackers using browser dev tools or direct API calls. Client-side validation is for user experience (immediate feedback), not security. Server-side validation is mandatory for security.",[198,205,207],{"question":206},"What should I validate?",[13,208,209],{},"Validate type (string, number, boolean), format (email, URL, phone), length (min/max characters), range (number bounds), allowed values (enums, allowlists), and required vs optional. Validate everything that comes from outside your trusted code, including URL parameters, form data, headers, and file uploads.",[198,211,213],{"question":212},"Is validation enough to prevent injection attacks?",[13,214,215],{},"Validation helps but is not enough alone. Use validation to reject unexpected input, but also use parameterized queries for SQL, output encoding for HTML, and proper escaping for other contexts. Defense in depth means multiple layers of protection.",[217,218,219,225,230],"related-articles",{},[220,221],"related-card",{"description":222,"href":223,"title":224},"Cleaning input","/blog/glossary/sanitization","Sanitization",[220,226],{"description":227,"href":228,"title":229},"What validation prevents","/blog/glossary/injection","Injection",[220,231],{"description":232,"href":233,"title":234},"Related vulnerability","/blog/glossary/xss","XSS",[236,237,240,244],"cta-box",{"href":238,"label":239},"/","Start Free Scan",[17,241,243],{"id":242},"check-your-validation","Check Your Validation",[13,245,246],{},"Scan your app for missing validation and input issues.",{"title":248,"searchDepth":249,"depth":249,"links":250},"",2,[251,252,253,254,255,256],{"id":19,"depth":249,"text":20},{"id":26,"depth":249,"text":27},{"id":76,"depth":249,"text":77},{"id":97,"depth":249,"text":98},{"id":166,"depth":249,"text":167},{"id":242,"depth":249,"text":243},"glossary","2026-01-13","Learn what input validation is, why it matters for security, and how to validate user data properly. Prevent bugs and vulnerabilities.",false,"md",[263,264,265],{"question":200,"answer":203},{"question":206,"answer":209},{"question":212,"answer":215},"green",null,{},true,"Input validation rejects bad data before it causes problems. Learn how to do it right.","What is Input Validation?","/blog/glossary/validation","4 min read","[object Object]","DefinedTerm",{"title":5,"description":259},{"loc":272},"blog/glossary/validation",[],"summary_large_image","47ppdCzZHxncAMDI8MtOS4itceI6CrbXqHtDAZTLlII",1775843921843]