Security S-09
Never Trust
the Client.
the Client.
Client only
if (email.includes("@")) ✓
Bypassed via API directly
Server validates
schema.parse(body) → 400
Type, length, allowed values
LaunchYourVibe S-09
Everything reaching the database is checked for type, length, and allowed values. Client-side validation is UX convenience, not security — it can be bypassed with a single curl command.