Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Web security, are there issues with hidden fields (no sensitive data)?

Tags:

html

security

hidden-fields

I was having a discussion with coworkers. We have to implement some security standards. We know not to store 'sensitive, addresses, date of birth' information in hidden fields but is it OK to use hidden fields for your application, in general.

For example:

action=goback

It seems like it would be safer to use hidden fields for that kind of information as opposed to adding it in the query string. It is one less piece of information that a hacker could use against your application.

like image 849
Berlin Brown Avatar asked Jan 05 '09 17:01

Berlin Brown

People also ask

Are hidden fields secure?

Overview. Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk. However, hidden fields are not secure and can be easily manipulated by users.

What are hidden fields used for on a web form?

Hidden fields tell you exactly where they came from without relying on the users' memory or desire to fill that in. There are additional codes you can add if you need advanced tracking. They can be added using the Google Tag Manager or by making changes to your website itself.

What are hidden data fields?

A hidden field let web developers include data that cannot be seen or modified by users when a form is submitted. A hidden field often stores what database record that needs to be updated when the form is submitted.

2 Answers

A hacker can access hidden fields just as easily as querystring values by using an intercepting proxy (or any number of tools).

I dont think there is anything wrong with using hidden fields as long as they aren't used for anything sensitive and you validate them like you would any other value from the client.

like image 160
Neil Aitken Avatar answered Sep 20 '22 17:09

Neil Aitken

Making a field "hidden" has pretty much nothing to do with security, and should be considered a UI decision. Any "hacker" will read your HTML source anyway.

Better to either not show sensitive information at all, or, if you must, to use SSL (to prevent data interception by network intermediaries) and some combination of login challenges (to prevent unauthorized access).

like image 21
Kenan Banks Avatar answered Sep 20 '22 17:09

Kenan Banks
Sign in to Comment

Related questions

Cutting image diagonally with CSS
How can I change the font (family) for the labels in Chart.JS?
Require one from two fields using Angular 2
Why is my 'add to home screen' Web App Install Banner not showing up in my web app
Centered modal load spinner bootstrap 4
Using Flex/CSS with wkhtmltopdf
PHP expression <<<EOB
Different form ACTION depending on button pressed
Align div elements next and under each other
Does Chrome have built-in speech recognition for "x-webkit-speech" input elements?
How do I get the previously focused element in JavaScript?
How to figure out when a HTML5 video player enters the full screen mode on iOS / iPads?
Dom exception debugging with chrome developer tools in jquery
Using jQuery's .on function how do I get the originating element for the event?
HTML5 localstorage in Cordova
How do I use a gradient as a font color in CSS?
jquery Scroll to class name
Sanitizing HTML input value
How to check a user watched the full video in html5 video player
Stop playing video in iframe when modal is closed

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!