ASP.NET Core  

Building Reliable Web Applications with Model Validation in ASP.NET Core

Introduction

Validation is one of the most important parts of building production-ready web applications. Without proper validation, users may submit incomplete, incorrect, or malicious data, which may lead to database corruption, logic failures, inconsistent business workflows, and security vulnerabilities.

ASP.NET Core provides a built-in model validation framework that works seamlessly with controllers, minimal APIs, and Razor pages. It is based on attributes, reusable rules, and optional custom logic for complex real-world scenarios. Validation ensures that the backend does not trust frontend data blindly, even if Angular, React, or Blazor already perform client-side checks.

This article examines how model validation works in real-life enterprise development with step-by-step implementation, examples, and best practices.

Real-World Problem Statement

A logistics company built a freight booking web app. Their front-end UI allowed users to enter shipment weight, dimensions, pick-up date, and customer details. Initially, validation happened only in Angular, assuming backend protection was unnecessary.

Within three months:

  • Incorrect data formats reached the database.

  • Some required fields were missing because users bypassed validation using developer tools.

  • Negative weight values caused pricing miscalculations.

  • Fake customer emails made automated notifications fail.

After an internal audit, the engineering team implemented server-side validation using ASP.NET Core Model Validation.

How Model Validation Works in ASP.NET Core

  1. When a request is received, ASP.NET Core automatically attempts to bind request data to the model.

  2. Validation attributes defined on properties are checked.

  3. If validation fails, the request is immediately blocked.

  4. An appropriate error response is returned (usually 400 Bad Request).

  5. The controller method does not execute until the data is valid.

This approach ensures backend consistency even if client-side validation is bypassed.

Basic Example Model with Required and Range Validation

public class BookingRequest
{
    [Required(ErrorMessage = "Customer Name is required.")]
    public string CustomerName { get; set; }

    [Required]
    [EmailAddress(ErrorMessage = "Invalid email format.")]
    public string Email { get; set; }

    [Range(1, 10000, ErrorMessage = "Weight must be between 1 and 10000 kg.")]
    public decimal Weight { get; set; }

    [Required]
    public DateTime PickupDate { get; set; }
}

Controller Example

[ApiController]
[Route("api/[controller]")]
public class BookingController : ControllerBase
{
    [HttpPost("create")]
    public IActionResult CreateBooking([FromBody] BookingRequest request)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }

        return Ok("Booking Created Successfully");
    }
}

Workflow Diagram

 User Input
     |
     V
 Model Binding
     |
     V
 Validate Attributes (Required, Range, Custom)
     |
     +--> Failure --> Return 400 with validation errors
     |
     V
 Success
     |
     V
 Controller Executes Business Logic

Flowchart

          ┌─────────────────────┐
          │ Receive API Request │
          └───────┬────────────┘
                  │
                  ▼
        ┌──────────────────────────┐
        │ Bind Values to Model     │
        └───────┬──────────────────┘
                │
                ▼
     ┌───────────────────────┐
     │ Perform Validation    │
     └─────────┬─────────────┘
               │
     ┌─────────▼──────────────┐
     │ Valid?                  │
     └───────┬───────┬────────┘
             │       │
           YES      NO
             │       │
             ▼       ▼
  ┌───────────────────┐    ┌────────────────────┐
  │ Execute Controller │    │ Return 400 Error   │
  │ Logic              │    │ with Errors        │
  └───────────────────┘    └────────────────────┘

Custom Validation Attribute Example

Real-world systems require rules beyond simple range or required fields. For example: block booking on weekends.

public class NoWeekendAttribute : ValidationAttribute
{
    public override bool IsValid(object value)
    {
        if (value is DateTime date)
        {
            return date.DayOfWeek != DayOfWeek.Saturday &&
                   date.DayOfWeek != DayOfWeek.Sunday;
        }

        return false;
    }
}

Apply it:

[NoWeekend(ErrorMessage = "Pickup date cannot be on weekends.")]
public DateTime PickupDate { get; set; }

Adding Cross-Field Validation Using IValidatableObject

Some business rules depend on multiple fields. Example: insured shipment requires a declared value.

public class Shipment : IValidatableObject
{
    public bool IsInsured { get; set; }
    public decimal? DeclaredValue { get; set; }

    public IEnumerable<ValidationResult> Validate(ValidationContext context)
    {
        if (IsInsured && DeclaredValue == null)
        {
            yield return new ValidationResult(
                "Declared value is required for insured shipments.",
                new[] { nameof(DeclaredValue) }
            );
        }
    }
}

Validation in Minimal APIs (ASP.NET Core 7+)

app.MapPost("/shipment", (Shipment shipment) =>
{
    if (!MiniValidator.TryValidate(shipment, out var errors))
        return Results.ValidationProblem(errors);

    return Results.Ok("Shipment processed");
});

Best Practices

  1. Never rely solely on client-side validation.

  2. Use meaningful validation messages.

  3. Encapsulate reusable logic in custom attributes.

  4. Use IValidatableObject only when cross-field logic is required.

  5. Version validation rules if business logic evolves.

  6. Log validation failures for auditing.

Common Mistakes to Avoid

MistakeWhy It Is Wrong
Only validating on frontendCan be bypassed using tools like Postman
Hardcoding business rules in controllersMakes code hard to maintain
Generic validation messagesUsers cannot understand the issue
Returning 200 OK with validation errorsBreaks API contract

Testing Validation

Use Postman or unit tests to verify behavior.

Example Unit Test

[Test]
public void Booking_ShouldFail_WhenWeightIsNegative()
{
    var model = new BookingRequest { Weight = -5 };

    var context = new ValidationContext(model);
    var results = new List<ValidationResult>();

    var isValid = Validator.TryValidateObject(model, context, results, true);

    Assert.IsFalse(isValid);
}

Final Recommendations

  • Treat validation as part of the domain model, not just a UI feature.

  • Keep validation rules consistent across systems.

  • Validate early, validate everywhere, validate before storing data.

Conclusion

Model validation in ASP.NET Core is powerful and flexible. Using built-in attributes, custom rules, and cross-property validation ensures your web application handles data safely and consistently. In enterprise environments, validation prevents corrupted data, reduces support tickets, and improves application reliability.

Model validation is not just a feature. It is a safeguard that protects your system from human error, automation errors, and intentional misuse.

Membership not found