You can and should do some validation on the page in the user's browser, but as noted the real bulwark is the backend. On the other hand you can do it very close to the request arrival so your app doesn't really fire up unless needed. Since you are (rightly) concerned about strict param validation and it sounds like a serious app, I would start out right and create an OpenAPI spec for the app defining the routes and the acceptable params. There are plugins for Dancer which will build the whole app from the spec! And then validate the input if desired, etc. There's no reason to wait until the data is received by a route handler to validate it.