C
C#•3y ago
BlueJayBird

Hidden input fields and security concerns

I was reading about the use of hidden input fields, and I came across with this post https://stackoverflow.com/a/59320449/7389293 What are your thoughts on this? On my side, I'm always worried about security. What suggestions and experiences you have regarding this kind of fields and security? I attach a screenshot of some hidden fields rendered using Razor on MVC project.
Stack Overflow
What's the point of having hidden input in HTML? What are common us...
I don't see the benefit of having hidden input? If you set the value of the hidden input why not just use that value at the point where you reference this hidden input? There are reasons for this ...
14 Replies
Unknown User
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
BlueJayBird
BlueJayBirdOP•3y ago
Yeah, @Duke , but my question is (and I'm sorry I was not clear about that in my post) if you think that's necessary to encrypt the data like that guy suggests in that post.
Unknown User
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
BlueJayBird
BlueJayBirdOP•3y ago
The hidden value, and decrypt it after post.
Unknown User
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
BlueJayBird
BlueJayBirdOP•3y ago
All of them. My main question is if it even worth the effort of adding encryption to those fields. Probably not...
Unknown User
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Pobiega
Pobiega•3y ago
Depends on the data in the fields for example, a HTTP post/put edit might use a hidden field to specify what is being edited no need to encrypt that, just verify it
BlueJayBird
BlueJayBirdOP•3y ago
How do I verify it?
Pobiega
Pobiega•3y ago
Check that the user has the rights to edit the given number if they use web dev tools to change the number, you dont care. they still have access to editing that thing, so probably they just ruined or replaced their old data
BlueJayBird
BlueJayBirdOP•3y ago
Ok, regarding that last point there's something I don't get. I really don't want the used modify the hidden data using Dev Tools, but I don't know if I should care if he changes anything.
Pobiega
Pobiega•3y ago
as I said, it depends on the data. if its "you shouldn't edit this, but if you do, its on you" leave it open if its "if you edit this, my program breaks" then encrypt it but ultimately, you have to remember the backend developers mantra "Do not trust the frontend"
BlueJayBird
BlueJayBirdOP•3y ago
Ok. I understand that. Is encrypting the only one solution for this?
Pobiega
Pobiega•3y ago
no, the best way is to never let that data touch the frontend anyways 😛 if you encrypt it clientside, its not safe
Want results from more Discord servers?
Add your server