All the data exchanged with API should be validated by the API itself.

Malicious users can easily bypass client-side validation.