I have an application that has server rendering, and I have several private microservices, since I use server rendering to call microservices by http. My question is if it is necessary to validate the input (body/query/params) of these microsevices.
If you're reasonably sure that the architecture will never change to one where a client you don't control (and also a client that you're sure will not send invalid requests) can make requests to those services, then you can probably get away with not validating.
That said, remember that discipline is generally a bounded cost per unit of work, while the cost of regret can easily be superlinear.