Web security, are there issues with hidden fields (no sensitive data)?

Question

I was having a discussion with coworkers. We have to implement some security standards. We know not to store \'sensitive, addresses, date of birth\' information in hidden

Answer 1

Making a field "hidden" has pretty much nothing to do with security, and should be considered a UI decision. Any "hacker" will read your HTML source anyway.

Better to either not show sensitive information at all, or, if you must, to use SSL (to prevent data interception by network intermediaries) and some combination of login challenges (to prevent unauthorized access).

Answer 2

As other people have mentioned both the query string and hidden fields are essentially public data, viewable by the user.

One thing to keep in mind if you place data on the querystring is that people pass urls around, and because of this should never contain any information specific to the current user.

It is also probably a good idea not to include state information in the url, if that state can not be entered directly. Or at least you would need to handle invalid state information in the querystring.

Answer 3

A hacker can access hidden fields just as easily as querystring values by using an intercepting proxy (or any number of tools).

I dont think there is anything wrong with using hidden fields as long as they aren't used for anything sensitive and you validate them like you would any other value from the client.

Answer 4

Consider encrypting the name and value of your hidden field for the purpose of tamper checking since hackers can still get hold of your hidden fields and manipulate them the way they wanted to.