

Ask HN: Let users wreak their own havoc? - katzgrau

Have you ever written a webapp where a more sophisticated end-user could basically edit the DOM and submit some invalid data?<p>I'm curious how far other developers go to prevent users from "wreaking their own havoc," as a friend of mine called it, as long as it doesn't pose any security threat.<p>For example, I'm writing an app that integrates with an API. I have a form where I take an API key. Based on that API key, there is a selection of entity IDs that they are supposed to choose from (pulled via the API).<p>Any non-malicious user wouldn't ever have a chance to enter invalid data. But a potentially malicious user might edit the DOM and enter an ID they don't have permission to access with the given API key.<p>Of course, the API permission checks won't allow for any future API calls, and the app basically won't work. I'm not for cutting corners, but I also don't want to replicate a bunch of validation checks client-side for users who are trying to game the system.<p>Thoughts?
======
PommeDeTerre
Do it right, and use proper validation on both the client-side and the server-
side.

~~~
katzgrau
Thanks - I know. I think there's always the possibility that the 'malicious'
user in question could edit db/configuration files anyway, but it's definitely
the correct thing to do.

