Requests received at the backend can be sent over from the UI or be sent by tools such as cURL and Postman. When requests do not originate from the UI, the validations that we added on the frontend can be bypassed completely. Therefore, we must also perform validations of the data on the backend before processing them.

As mentioned in Chapter 5, Data Modeling - Designing the Foundation of the Application, we use the Hexagonal Architecture style in the TaskAgile application. So, when an HTTP request arrives at the sever end, an adapter will handle it. In our application, the adapter is a handler inside a Controller. That's where we will perform the validation. The other thing is that we should leave business logic out of this validation. We should only check whether the data is valid or not based on rules that do not involve any business logic. For example, we might want to reverse a list of usernames in our application, and we will need to check whether the value of the username in the request is allowed or not before we create that user. This verification has a business rule involved and shouldn't be carried out in the adapter. Instead, it should be the responsibility of the services in the Application Core. The following figure shows the data validation flow of the backend that we are building in this section:

As you can see, we need to make sure that the data we pass to the Application Core is always valid.