Input validation at the controller level, business rules and workflow logic inside the service layer, separate request and response DTOs and the repository strictly handling database operations ...