See html source code, security


I have in my code html this instruction:


The problem is that from the inspection of source code you can modify it and thus be able to see the div in which the instruction is found.

Is there any way they can not modify this?

asked by Lorenzo Martín 16.10.2018 в 19:31

2 answers


Unfortunately, once the information is presented in the interface (either visible or non-visible elements), there is no way to control what a user will do with it. If it is confidential or restricted information, it is best that:

  • Do not show it; or
  • The encrypted or illegible display, so that only the application can use the information you are displaying.
  • Remember that no method of hiding information that is accessible to the interface is entirely reliable, since with a little interaction with the console, you can access any information that was already displayed on the page.

    Validations for the values that you do not want to be modified in the interface must be at the level of the controller (or who will receive the content you want to keep intact).

    answered by 16.10.2018 в 20:12

    Hiding things in the html gives a false sense of security, it does not take a console to discover them.

    From a bookmark (bookmark / favorite) you can run javascript in the context of the current page.

    In this case I look for the divs and I put display block , you can change the color of the text / background etc ...

    Something more elaborate would be to take info and send it to a server with the cors promiscuo for later analysis, go through the DOM and recreate it in a div fixed to see all the classes and contents, etc ...

    To create a bookmark with javascript you put javascript: as a protocol in the url, or by dragging a link that already has the url armed to the bookmarks / favorites bar.

    Give it to execute the snippet and drag the link to the bookmarks bar for future uses. (eye that visually breaks the entire layout).

    <a href="javascript:(function(){document.querySelectorAll('div').forEach((d)=>'block')})();">averche</a>
    <div style="display:none">no me veeen</div>

    This is a basic example, a more professional attacker would arm a browser extension.

    So my advice is ... rethink the security scheme.

    answered by 16.10.2018 в 21:11