htmlsecurityhidden-fields

Web security, are there issues with hidden fields (no sensitive data)?


I was having a discussion with coworkers. We have to implement some security standards. We know not to store 'sensitive, addresses, date of birth' information in hidden fields but is it OK to use hidden fields for your application, in general.

For example:

action=goback

It seems like it would be safer to use hidden fields for that kind of information as opposed to adding it in the query string. It is one less piece of information that a hacker could use against your application.


Solution

  • A hacker can access hidden fields just as easily as querystring values by using an intercepting proxy (or any number of tools).

    I dont think there is anything wrong with using hidden fields as long as they aren't used for anything sensitive and you validate them like you would any other value from the client.