Handle Data Validation in Node.js with validatorjs

Implement robust input validation for secure, reliable Node.js applications. Learn to use validatorjs for comprehensive data validation and sanitization.

Why Input Validation Matters in Node.js

Data validation is your first line of defense against malformed input in modern web applications. When users submit forms, API requests, or any data to your application, proper validation ensures:

Security: Prevents SQL injection, XSS attacks, and other injection vulnerabilities
Data Integrity: Ensures downstream systems receive correctly formatted data
User Experience: Provides immediate, clear feedback on form errors
Performance: Catches invalid data early, preventing wasted processing cycles

validatorjs provides a comprehensive, battle-tested solution for input validation in Node.js applications. Originally inspired by Laravel's validator, it has evolved into a mature, standalone library that works seamlessly with Express.js and other Node.js frameworks.

Our web development team regularly implements robust validation patterns as part of our comprehensive application security approach, ensuring that every project we build meets the highest standards for data protection and user experience.

What validatorjs Offers

A powerful validation library with extensive capabilities

Comprehensive Validators

Built-in validators for emails, URLs, strings, numbers, dates, and more

Custom Rules

Extend with your own validation logic for business requirements

Sanitization

Clean and normalize input data automatically

Framework Agnostic

Works with Express.js, or any Node.js application

Getting Started with validatorjs

Installation

npm install validatorjs

Basic Usage Pattern

The fundamental pattern in validatorjs involves passing your input data and validation rules to the validator constructor:

const validator = require('validatorjs');

const rules = {
 email: 'required|email',
 password: 'required|min:8',
 name: 'required|string'
};

const data = {
 email: '[email protected]',
 password: 'secure123',
 name: 'John Doe'
};

const validation = new validator(data, rules);

if (validation.passes()) {
 // Validation succeeded
 console.log('All checks passed!');
} else {
 // Validation failed
 console.log(validation.errors.all());
}

This pattern provides immediate feedback with a clean, readable API that maps directly to your validation requirements.

Using Built-in Validators

String Validators

String validators form the foundation of most form validation scenarios:

const rules = {
 username: 'required|alpha_dash|min:3|max:30',
 bio: 'string|min:10|max:500',
 slug: 'required|string|alpha_dash'
};

Email and URL Validation

Email and URL validation are among the most common requirements:

const rules = {
 email: 'required|email',
 website: 'required|url',
 apiEndpoint: 'url|https' // Require HTTPS
};

Numeric and Range Validation

Ensure data falls within expected numeric ranges:

const rules = {
 age: 'required|integer|min:18|max:120',
 quantity: 'required|integer|min:1',
 rating: 'integer|between:1,5'
};

Date Validation

Validate and compare dates:

const rules = {
 birthdate: 'date',
 startDate: 'date',
 endDate: 'date_after:startDate'
};

Creating Custom Validation Rules

Adding Custom Validators

For business logic beyond built-in validators, extend validatorjs:

const validator = require('validatorjs');

// Register a custom validator
validator.register('phoneNumber', function(value) {
 return /^[\d\s\-\(\)\+]{10,}$/.test(value);
}, 'The phone number format is invalid.');

// Use custom validator
const rules = {
 phone: 'required|phoneNumber'
};

Password Strength Validator

Create compound validators for complex requirements:

validator.register('strongPassword', function(value) {
 const hasUpper = /[A-Z]/.test(value);
 const hasLower = /[a-z]/.test(value);
 const hasNumber = /\d/.test(value);
 const hasSpecial = /[!@#$%^&*,.?":{}|<>]/.test(value);
 return hasUpper && hasLower && hasNumber && hasSpecial;
}, 'Password must include uppercase, lowercase, number, and special character.');

const rules = {
 password: 'required|strongPassword|min:12'
};

Asynchronous Validation

For database lookups or external API calls:

async function validateRegistration(data) {
 const validation = new validator(data, {
 email: 'required|email',
 username: 'required|string|min:3'
 });

 // Custom async check
 const emailExists = await checkEmailExists(data.email);
 if (emailExists) {
 validation.errors.add('email', 'Email already registered');
 }

 return validation;
}

validatorjs itself is synchronous, but you can implement async validation by combining it with promise-based logic for database lookups or API calls.

Error Handling and Results

Checking Validation Results

Use passes() or fails() to check validation outcome:

const validation = new validator(data, rules);

if (validation.passes()) {
 // All validations passed
} else {
 // Handle errors
}

Retrieving Error Messages

validatorjs provides multiple ways to access errors:

// Get all errors as object
const allErrors = validation.errors.all();
// { email: ['Invalid email format'] }

// Get first error for each field
const firstErrors = validation.errors.first();

// Get error for specific field
const emailError = validation.errors.first('email');

// Check if field has errors
if (validation.errors.has('email')) {
 // Handle email error
}

Custom Error Messages

Provide user-friendly feedback:

const messages = {
 'email.required': 'Please enter your email',
 'email.email': 'Please enter a valid email',
 'password.min': 'Password must be at least :min characters'
};

const validation = new validator(data, rules, messages);

You can use placeholders like :attribute (field name), :min, :max in custom messages for dynamic content.

Sanitization Features

While validation checks data quality, sanitization cleans and normalizes input:

const rules = {
 email: 'trim|lowercase',
 name: 'trim|escape',
 search: 'trim|strip_low'
};

// Numeric sanitization
const rules = {
 quantity: 'to_int',
 price: 'to_float'
};

Common Sanitizers

Sanitizer	Purpose
`trim`	Remove leading/trailing whitespace
`escape`	HTML entity encoding
`lowercase`	Convert to lowercase
`uppercase`	Convert to uppercase
`strip_low`	Remove non-printable characters
`to_int`	Convert to integer
`to_float`	Convert to float

Sanitizers are applied in order, so you can chain them for comprehensive data cleaning. For example, trim|lowercase|escape would first trim whitespace, convert to lowercase, then escape HTML entities before validation.

Integrating with Express.js

Validation Middleware Pattern

Create reusable middleware for Express routes:

// middleware/validation.js
const validator = require('validatorjs');

const validateRegistration = (req, res, next) => {
 const rules = {
 email: 'required|email',
 password: 'required|min:8',
 name: 'required|string|min:2'
 };

 const validation = new validator(req.body, rules);

 if (validation.passes()) {
 req.validatedData = validation.object();
 next();
 } else {
 res.status(400).json({
 success: false,
 errors: validation.errors.all()
 });
 }
};

module.exports = { validateRegistration };

Route Usage

// routes/auth.js
const express = require('express');
const router = express.Router();
const { validateRegistration } = require('../middleware/validation');

router.post('/register', validateRegistration, (req, res) => {
 createUser(req.validatedData);
});

Validating Different Request Parts

// Query parameters
const validateSearch = (req, res, next) => {
 const rules = {
 q: 'required|string|min:2',
 page: 'integer|min:1'
 };
 const validation = new validator(req.query, rules);
 // ...
};

For complex nested objects, use dot notation: { 'user.email': 'required|email', 'user.profile.age': 'integer' }.

When building web applications with Express.js, implementing proper validation middleware ensures consistent data quality across all endpoints while reducing code duplication.

Performance and Best Practices

Performance Optimization

For high-throughput applications:

// Reuse static rules
const baseRules = {
 email: 'required|email',
 password: 'required|min:8'
};

// Quick pre-check before full validation
const quickCheck = (data) => {
 if (!data || typeof data !== 'object') return false;
 // ...
};

Best Practices Summary

Server-side validation is non-negotiable - Never trust client-side validation alone
Use consistent rules across your application
Centralize validation logic in middleware or services
Provide user-friendly error messages
Sanitize AND validate input data
Log validation failures in production for debugging

Common Pitfalls to Avoid

Over-validating (creating unnecessary friction for users)
Silent failures (not checking validation results)
Exposing raw errors to users (always provide friendly messages)
Forgetting to sanitize data before storage
Skipping validation on backend endpoints

For larger applications, structure validation as a dedicated layer with separate files for user, product, and shared validation utilities. Following these web development best practices helps ensure your applications remain secure, maintainable, and performant as they scale.

Frequently Asked Questions

What's the difference between validatorjs and express-validator?

validatorjs is a standalone validation library that can be used with any Node.js framework. express-validator is built on top of validator.js but provides Express-specific middleware and integration patterns. Use validatorjs for flexibility, or express-validator if you're building an Express application and want the middleware convenience.

Can validatorjs handle async validation?

validatorjs itself is synchronous, but you can implement async validation by combining it with promise-based logic. For database lookups or API calls, create the validator instance and then add custom async checks before proceeding with your validation workflow.

Should I validate on the client or server?

Always validate on the server as your primary line of defense. Client-side validation improves user experience by providing immediate feedback, but it can be bypassed. Server-side validation is non-negotiable for security and data integrity.

How do I validate nested objects?

Use dot notation in your rules: { 'user.email': 'required|email', 'user.profile.age': 'integer' }. This allows you to validate complex nested structures while keeping rules organized and readable.

Build Secure, Validated Node.js Applications

Our web development team implements robust validation strategies for secure, reliable applications that protect your data and improve user experience.

React Form Validation Best Practices

Learn patterns for building accessible, user-friendly forms with proper validation on the frontend.

Learn more

Securing Node.js APIs

Comprehensive guide to protecting your APIs from common vulnerabilities and attack vectors.

Learn more

Node.js Database Best Practices

Optimize your database operations for performance, security, and scalability.

Learn more

Sources

LogRocket: How to handle data validation in Node.js using validatorjs - Comprehensive tutorial covering basic validation setup, custom validators, and practical use cases
express-validator Official Documentation - Official docs showing middleware integration and Express.js-specific patterns
validator.js GitHub Repository - Official source for available validators and sanitizers