The key to preventing client-side vulnerabilities, or at least to minimizing their impact, is never to trust external information, be it from a client application, web service, or the server inputs. These must always be validated before processing them, and all of the data being shown to users must be properly sanitized and formatted before displaying it in any format (such as HTML, CSV, JSON, and XML). It is a good practice to do a validation layer on the client-side, but that cannot be a replacement for server-side validation.

The same thing happens with authentication and authorization checks. Some effort can be made to reduce the number of invalid requests that reach the server, but the server-side code must verify that the requests that reach it are indeed valid and allowed to proceed to the user's session that is sending such requests.

For AJAX and HTML5, correctly configuring the server and parameters, such as cross origin, content...