Anything that's not on the server is inherently insecure. After all, it only takes a telnet connection and the user can send literally anything they want to your server.
In short, you can't trust anything sent from the client, so the answer is yes - you gotta do the work on the server side.
Unfortunately, HTML5 doesn't change these basic properties in any way. So no, you have to do it all server-side.
No matter what the game, whether JS or native binary, if the scoring system is vulnerable, people will tamper if the game is good enough. Stick to clever serverside every time.
©2020 All rights reserved.