Web security, are there issues with hidden fields (no sensitive data)?

html security hidden-fields
Berlin Brown picture Berlin Brown · Jan 5, 2009 · Viewed 23.3k times · Source

I was having a discussion with coworkers. We have to implement some security standards. We know not to store 'sensitive, addresses, date of birth' information in hidden fields but is it OK to use hidden fields for your application, in general.

For example:

action=goback

It seems like it would be safer to use hidden fields for that kind of information as opposed to adding it in the query string. It is one less piece of information that a hacker could use against your application.

Answer

Neil Aitken picture Neil Aitken · Jan 5, 2009

A hacker can access hidden fields just as easily as querystring values by using an intercepting proxy (or any number of tools).

I dont think there is anything wrong with using hidden fields as long as they aren't used for anything sensitive and you validate them like you would any other value from the client.

Related questions

How to allow http content within an iframe on a https site

I load some HTML into an iframe but when a file referenced is using http, not https, I get the following error: [blocked] The page at {current_pagename} ran insecure content from {referenced_filename} Is there any way to turn …

Read More
How does Content Security Policy (CSP) work?

I'm getting a bunch of errors in the developer console: Refused to evaluate a string Refused to execute inline script because it violates the following Content Security Policy directive Refused to load the script Refused to load the stylesheet What's …

Read More
Is either GET or POST more secure than the other?

When comparing an HTTP GET to an HTTP POST, what are the differences from a security perspective? Is one of the choices inherently more secure than the other? If so, why? I realize that POST doesn't expose information on the …

Read More