For any kind of modern web application, where more logic is being moved to the client side, security does need to be well planned as, realistically, you have to prepare for the fact that someone could rewrite your entire interface for malicious purposes.
You're right that validating every move server side does introduce latency, however as mentioned by qwertynl above you could use websockets to minimise it. Developers have produced multiplayer games with real time communication (such as FPSes) for a long time now so you'd assume there'd be plenty of algorithms and strategies out there for maximising bandwidth and minimising latency. If your game involves any kind of real time communication, you'll already need low latency solutions in place, so adding a bit of validation is not a problem.
For more transactional games, this becomes a lot easier because nothing necessarily needs to be real time. The interface knows your xp, mana etc, so when you perform an action the application adds the action to your outbound queue and responds, predicting the outcome as though the action was successful.
When the action is sent to the server, if the actual result is different to what the client anticipated, due to people tampering with their mana levels, loss of connectivity of another player etc, then the action isn't applied to your internal server side game state, and the server responds with a game state that ignores your past actions.
This method can result in strange behaviours where you're playing and next thing your past few minutes of gameplay vanish, but remember this validation is to protect the game from abusers and poor network connectivity, and is not something that will be encountered by the majority of users.