How to make sure a POST request to a REST api is "safe"

I have a JSON REST-api with NodeJs, Express and MongoDB. Several user accounts are using this API to CRUD resources of a web app. Access to the API is granted via a /login route, where users can establish a session.

But lets say one of my users are evil, and he knows that the front-end is talking to a API, and he wants to send some unexpected JSON data to the API.

Lets say he establish a session with the API, and then use a REST-client, like POSTMAN to send JSON that is not expected to a POST route.

What is the route is expecting something like this

{
  name: "Anders",
  age: 32, 
  country: "sweden"
}

but instead receive something like this from an "evil" user armed with a REST-client.

{
  wrong_key1: 23423432423423,
  wrong_key2: 2341234123431542315413, 
  wrong_key2: ["ascdaeawe", "sadfasfe", "sdfahrta"]
  wrong_key4: "http://www.evildomain.com/",
}

What is the best way to handle this?

1. Filter out just the expected values from req.body, validate them, and ignore all others?
2. Disallow request from other domains, making sure the request are only coming from my web app domain? This seems a bit "anti REST" although, and I dont even know if this is possible.
3. Expect users with a login never to do something like this, and therefore not deal with it?
4. Something else...?