splitforms.com
Get free key
guide · form validation

Server-Side Form Validation — Why It's Non-Optional

Client-side validation is for UX; server-side validation is for security. Why you need both, what to check server-side, and how splitforms validates every submission so you don't have to write it yourself.

typescript
// Example: validating a form submission server-side in Node.js
// (You don't need this with splitforms — but here's what splitforms
// does for you on every submission.)

import { z } from "zod";

const ContactSchema = z.object({
  name: z.string().min(2).max(120),
  email: z.string().email().max(255),
  message: z.string().min(10).max(5000),
  // Honeypot — should be empty
  botcheck: z.string().max(0).optional(),
});

export async function POST(request: Request) {
  const formData = await request.formData();
  const data = Object.fromEntries(formData.entries());

  const result = ContactSchema.safeParse(data);
  if (!result.success) {
    return Response.json(
      { success: false, message: "Invalid input", issues: result.error.issues },
      { status: 400 }
    );
  }

  // Send email, store submission, fire webhook, etc.
  // ...

  return Response.json({ success: true, message: "Submission received" });
}

Client-side validation runs in the user's browser. It's for UX — blocking obvious mistakes (empty required fields, malformed emails) before the form hits the network. It's also trivially bypassable: anyone with DevTools can disable it, delete the validation script, or POST directly with curl. Treat client-side validation as a hint, not a guarantee.

Server-side validation runs on your backend. It's for security and data integrity. Every field that reaches the server must be re-validated, regardless of what the client said. Required fields must be present; email format must be valid; lengths must be within bounds; types must match the schema. Without this, a malicious actor can submit arbitrary garbage to your database and APIs.

What to validate server-side: every field. Required fields are non-empty. String fields match the expected format (email pattern, URL pattern, phone pattern). Numeric fields fall within min/max ranges. File uploads match the expected size and MIME type (don't trust the `accept` attribute or the file extension). Multi-select fields contain only allowed values.

If you use splitforms, you don't write any of this. Every submission to `/api/submit` is validated server-side: format, length, file size, MIME type, rate limits, origin checks, AI spam classification. Malformed submissions get rejected with a clear JSON error; valid submissions proceed to email + storage + webhooks. The server-side validation is the service you're paying for (or getting free).

How to set this up

Step 01

Validate every field on the server

Required, format, length, type, range. Never trust the client. Zod (TS), Pydantic (Python), io-ts (TS), or your framework's built-in validation.

Step 02

Re-validate file uploads

Don't trust accept attribute or file extension. Check actual MIME type via file signature (magic bytes) and size.

Step 03

Rate-limit per IP and per access key

Form-spam protection. Sliding window rate limits with burst allowance.

Step 04

(Or use splitforms)

Every submission server-side validated automatically. You skip the entire layer.

Client-side for UX. Server-side for security. You need both — or splitforms.

Frequently asked questions

What is server-side form validation?

Server-side form validation re-checks every submitted field on your backend before processing the data. It complements client-side validation: client-side is for UX (blocking obvious mistakes); server-side is for security (preventing malicious or malformed submissions).

What's the difference between client-side and server-side validation?

Client-side runs in the user's browser; it's fast, fails open if JS is disabled, and is trivially bypassable. Server-side runs on your backend; it's authoritative, runs regardless of client behavior, and is the only validation you can trust.

Do I need server-side validation if I have client-side validation?

Yes. Always. Client-side validation can be bypassed by disabling JS, editing the DOM, or POSTing directly with curl. Server-side validation is non-optional for anything that touches a database or external service.

How does splitforms handle server-side validation?

Every submission to /api/submit is validated: required fields, format (email, URL, etc.), length limits, file size and MIME type, rate limits, origin checks, AI spam classification. Malformed submissions get rejected with a clear JSON error before they reach your inbox.

What about validation in ASP.NET / Rails / Django?

Every server framework has its own validation primitives. ASP.NET: model validation attributes ([Required], [EmailAddress]). Rails: ActiveRecord validations (validates :email, presence: true, format: ...). Django: forms.Form with cleaned_data. The shape is the same: define rules, check submissions against them, reject failures.

Related guides

Form validation

jQuery Form Validation — Working Code for 2026

Form validation

React Form Validation — Working Code (React Hook Form + Zod)

Form validation

Bootstrap Form Validation — Native HTML + Bootstrap 5

Ship the form, not the backend.

Free for 1,000 submissions/month. Email delivery, AI spam filtering, signed webhooks, real dashboard — all on the free plan. No credit card.

Get a free access key →