HTML Form Validation Guide (Native + UX Patterns)
Validate forms the right way with native HTML5 attributes, the Constraint Validation API, and humane error UX.
Good validation catches mistakes before they cost you — a mistyped email you can never reply to, an empty “required” field, a phone number in the wrong shape. This guide covers native HTML5 validation, the Constraint Validation API for custom messages, and the UX patterns that make errors feel helpful instead of hostile.
Native HTML5 validation
Before reaching for JavaScript, use what the browser gives you free. These attributes validate on submit and show a native message:
| Attribute | What it enforces |
|---|---|
required | The field must not be empty. |
type="email" | The value must look like an email address. |
type="url" | The value must be a valid absolute URL. |
minlength / maxlength | Bounds the number of characters. |
min / max | Bounds numeric and date values. |
pattern | The value must match a regular expression. |
<input type="email" name="email" required />
<input
type="text"
name="zip"
pattern="[0-9]{5}"
title="Five-digit ZIP code"
required
/>
<input type="number" name="quantity" min="1" max="10" required />Custom messages with the Constraint Validation API
The default messages are generic. To control the wording while keeping native behaviour, use setCustomValidity():
const email = document.querySelector('input[name="email"]');
email.addEventListener('invalid', () => {
if (email.validity.valueMissing) {
email.setCustomValidity('We need an email to reply to you.');
} else if (email.validity.typeMismatch) {
email.setCustomValidity('That doesn’t look like a valid email.');
}
});
// Clear the custom message as soon as the user edits the field,
// otherwise it sticks and blocks a now-valid value.
email.addEventListener('input', () => email.setCustomValidity(''));UX patterns that don’t frustrate
- Validate on blur, not on every keystroke. Yelling at someone mid-typing is hostile. Wait until they leave the field.
- Show errors inline, next to the field — not in a summary alert far from the problem.
- Keep the value. Never clear a field because it was invalid; let the user fix, not retype.
- Use the right input type (
email,tel,number) so mobile keyboards adapt. - Disable nothing on submit until you’ve checked validity — a greyed-out button with no explanation is worse than an error.
Make errors accessible
Validation and accessibility go together: error messages need to be announced to screen readers, and invalid fields need aria-invalid and a programmatic link to their message. See the accessible forms checklist for the markup, and grab ready-made expressions from the input pattern cheatsheet.
Frequently asked questions
What is HTML5 form validation?
HTML5 form validation is built into the browser. Attributes like required, type="email", min, max, and pattern make the browser check inputs and block submission with a native message — no JavaScript required. It’s the fastest way to add basic validation.
Is client-side validation enough?
No. Client-side validation is for user experience — it gives instant feedback. It can be bypassed, so you must always validate again on the server (or at your form endpoint) for anything that matters. Treat the browser as a convenience, not a security boundary.
How do I show a custom validation message?
Use the Constraint Validation API: call setCustomValidity() with your message on the input, listen for the invalid event, and clear it on input. This replaces the browser’s default text while keeping native behaviour.
How do I validate a field with a regular expression?
Use the pattern attribute with a regex, e.g. pattern="[0-9]{4}" for a 4-digit code. The browser blocks submission until the value matches. See the input pattern cheatsheet for ready-made patterns and a live tester.
Related resources
Validation on the client, safety on the server
SaveForm validates and stores every submission server-side, so even if a bot skips your browser checks, your data stays clean.