Let's say I create a game like Scrabble. It uses a client-side scripting to handle user interface and server-side code to store games, moves etc.
Now, I would like to let users know if their move is correct. If they place a tile on a field they weren't supposed to, the game lets them know by disabling the OK button or whatever. But the same validation takes place on server side obviously in case someone tries to use the API directly.
Just validate on the server side and use Fetch/Ajax to know if the movement can be done. I don't like this idea though, because the response won't be instant.
Protect the API some other way to be sure that the movement came from the client. I don't like this idea neither, because there is no 100% method and I wouldn't like to end up with screwed up games.
What do you guys think? My current approach is to just ignore the DRY principle and having my code in PHP and JS. That is not something I'm proud of though.