Salve, legionary! You have reached one of the most important locations in our Empire — the Main Gate (Porta Praetoria). Everyone who wants to enter the city must pass through the guards' checkpoint. Similarly, every HTTP request that reaches our server should be thoroughly checked before it reaches the business logic.
Data validation is the process of verifying whether incoming data from users is correct, safe, and meets expectations. Without validation, our server is like an open gate — anyone can enter with anything.
Imagine a legionary approaching the gate and claiming to be a senator. The guard checks:
In the NestJS world, we deal with an analogous situation:
1// WITHOUT validation - gate wide open!
2@Post('legionaries')
3createLegionary(@Body() body: any) {
4 // Someone can send anything!
5 // { name: 12345, rank: null, age: "cat" }
6 return this.service.create(body);
7}
8
9// WITH validation - guards on duty!
10@Post('legionaries')
11createLegionary(@Body() dto: CreateLegionaryDto) {
12 // Data is verified before it reaches here
13 // name must be a string, rank must exist, age must be a number
14 return this.service.create(dto);
15}DTO (Data Transfer Object) is like an official imperial document — it defines exactly which fields should be present and what types they should be. In NestJS, we create DTO classes that describe the shape of input data:
1// DTO is like an imperial form
2export class CreateLegionaryDto {
3 name: string; // Legionary's name
4 rank: string; // Rank
5 age: number; // Age
6 legio: string; // Legion name
7}NestJS offers three main tools to protect our gates:
1// Installing gate guards
2// npm install class-validator class-transformerThe entire validation process in NestJS works as follows:
1// 1. HTTP request arrives at the server
2// POST /legionaries { name: "Marcus", age: 25 }
3
4// 2. ValidationPipe intercepts the data
5// ValidationPipe runs class-transformer (type conversion)
6// Then class-validator (rule checking)
7
8// 3. If data is valid → passes to the controller
9// If data is invalid → returns 400 Bad Request errorWithout these tools, we would have to manually check every field in every endpoint — it's as if you asked every centurion to personally verify documents instead of having trained gate guards.
In the following lessons, you will learn about each of these tools in detail. Get ready, because the gate guard shows no mercy to invalid data!