If you send the answer key to the browser, the quiz is already soft.
The browser can see the question and the choices. It cannot see the correct answer. That is the line that keeps a leaderboard honest.
I built Quiz Islami into islami.click ↗, an Islamic knowledge quiz with 8 categories, 3 difficulty levels, and a shared leaderboard. The scoring had to stay trustworthy, so the answer key never leaves the server.
How the API Is Structured#
The quiz endpoint returns only what the browser needs to render the question:
{
"id": "q1",
"question": "...",
"options": ["A", "B", "C", "D"]
}There is no correct answer in that payload. The client cannot grade itself.
When the user submits, the browser sends the session token, the question ID, and the selected option. The server checks that the question matches the active session, looks up the correct answer, and computes the score before anything is written to the database.
The Scoring Formula#
Each question is worth up to 20 points. A correct answer earns 10. The other 10 come from how fast you answered:
timeBonus = round(timeLeft / 30 * 10)
score += 10 + timeBonus // only if correctThe timer runs 30 seconds per question. The server measures elapsed time itself, then clamps the result to the timer window. Answer immediately and you get the full bonus. Wait too long and the bonus drops to zero. Wrong answers score zero.
What the Server Validates#
The server does not trust the browser to report time left. It measures elapsed time on its side.
That matters because client-timed scoring is easy to fake. If the browser can choose its own remaining time, the leaderboard is junk.
The server also checks that the session is active, the question belongs to that session, and the answer index is valid. The client can pick an answer. It cannot reshape the rules.
| Claim | Reality |
|---|---|
| Client sends time left | No, the server measures time itself |
| Client sees answer key | No, only question and options are sent |
| Client can forge score | No, score is computed server-side |
Is This Right for You?#
If your quiz has a leaderboard or any kind of competition, server-side scoring is non-negotiable. Send the answer key to the browser and you will spend the rest of your time explaining weird score spikes.
If you are building a self-study tool with no shared scores, client-side scoring is fine. You save a round trip and keep the code simpler.
For anything in between, ask one question: would cheating break the experience for other people? If yes, move the validation to the server.