How to make sure elements of HTML form have not been changed in purpose of hacking on client side before submit?

Question

I want to know is there any way to prevent elements of HTML form from changing on client side before submit (the elements they have value, like hidden elements)?

Lets say I have hidden elements. I want to make sure their values haven't been changed by user in purpose.

Or what is HTML FORM Security Best Practice?

Answer 1

No, there is no way to prevent the client from sending you arbitrarily manipulated or malformed requests. That's not just true for web apps, it's true for any app where you don't physically control the client.

Best practice is to expect that and deal with it. Specific mechanisms to do that include:

• Keep data in a server-side session variable instead of using hidden fields
• Alternatively, use cryptographic hash sums (that include a salt and the client's IP address) to ensure data has not been tampered with
• Run all client-supplied data through functions that strip potential SQL injection or XSS attacks before using it
• Check user authorization on every page (so that people can't e.g. see/manipulate other user's data simply by changing the id parameter on the "edit profile" page)

Answer 2

Generally, you should make sure that your system is robust enough to handle any sort of malicious input. Assuming that you've taken care of that, if you still need to make sure the information hasn't been tampered with, then use an HMAC. Your web library or programming language should have some sort of routine for this built in.