I know that Javascript is an incredibly unsecure way of programming a persistent game, where for instance you are doing battle calculations in an RPG and then award XP through l
In short, you can't trust anything sent from the client, so the answer is yes - you gotta do the work on the server side.