Considering any script kiddie can pimp-slap aside client-side scripting, this is something you MUST do server-side even if you have a client-side aid.
This is really none of the UI's business in terms of the security functionality since again, one script kiddie swapping your app to developer mode -- or client side JS via tampermonkey if this is running in a browser -- can kick that client-side check right in the groin.
ANY 'validation' you do via the submit even should be thought of in those terms, they are an enhancement and convenience, but should NEVER be used for actual functionality or security checks. Basically if you want good practices, you should write it to work as if client-side scripting (or even HTML 5 level) checks do not even exist FIRST.