As soon as someone sends data your system should process, check it; if invalid, reject with an appropriate HTTP error status. Coercion is occasionally right, but more often than not bad data should be rejected outright.