[Blazor ServerSide] When using EditForm, do I need to rerun validation inside the OnValidSubmit callback?

[Ghevi]

I'm not sure from the documentation: https://learn.microsoft.com/en-us/aspnet/core/blazor/forms/?view=aspnetcore-9.0
It seems validation is done client side but my question is if I can be sure that the model arriving to the callback wasn't tampered by a malicious user.
Is the validation rerun on the server when the data arrives or do I need to do it manually in my callback?
Or the validation run server side and if the model is invalid it returns the errors client side and if it is valid it invoke my callback?

I don't even know how you can tamper with the signalr data but I'm pretty sure you can do that with http calls.

Is this a valid concern or not?

[engineering87]

Hello @Ghevi,
yes it's a valid concern.
In Blazor, client-side validation is run before calling OnValidSubmit, so your callback only executes if the model is valid on the client but that doesn't guarantee the data wasn't tampered with. Malicious users can still bypass validation.
You should always revalidate the model on the server side before trusting or using the data. Client-side validation is just for user experience, not security.