Is Blazor server side bind-value secure?

Question

Can I bind entity model values in Blazor server side directly and secure? I'm starting worried, that client can in some way (with some tool) edit the communication message and set for example not "Age" but "Role" value in example below.

I see that there is some {"componentId":11, "fieldValue":88} in message, so maybe some other modified number for example {"componentId":12, "fieldValue":88} will set not "Age" but "Role"?

Answer 1

I don't think I could prove it is definitively possible to tamper with the binding of parameters in Blazor without actually doing it, but there are very good reasons to assume that it is possible.

Under the hood Blazor Server uses a secure Web Sockets connection to the server, but anyone with control of the client can still capture and modify the traffic. A 2 minute search says Fiddler & BurpSuite are both capable of this.

Like with any traditional web application all data received from a client should be treated as suspect until appropriately validated.

If the Role property is significant in your application, then it should never be settable from the client. A good way to prevent this from happening by accident is to use different classes for the data/business operations compared to the client presentation models