All the validation controls perform their respective validations BOTH client
and server side. The validation is first done client side to prevent a
wastefull trip to the server when the data is know to violate the validation
rules. Assuming the data is good (or seems to be), the validation is again
performed on the server to catch any spoofing attempts by the client.
Validation controls have an "EnableClientScript" property (which defaults to
true) to indicate if the client side validation should, in fact, take place
(this is presumably for situations when the client might have scripting
turned off). Even if this setting is false, the server side validation will
still occur.
Understanding ASP.NET Validation Techniques[
^]