Django how to secure hidden input fields and prevent forms submitting if value changed?

I am rendering current user data in hidden input so user don’t need to retype data again if he is login. User can inspect html page and see those hidden input data. He can also change hidden input data which one kind of security risk for my website. Such as I have an hidden input where user email and name rendering like this

<input type="hidden" name="name" class="form-control" placeholder="Your Name" value="Jhone" required=""> 

User can inspect the html and change the value then my forms submitting with new updated value. is there any way to stop submitting forms if value is changed. here is my code:

#html template

{% for i in currentuser_details %}
{%for y in user_profile%}
 <input type="hidden" name='userprofile' value="{{}}">
 <input type="hidden" name="name" class="form-control"  placeholder="Your Name"  value="{{i.first_name}}" required>
<input type="hidden" name="email" class="form-control" placeholder="Enter email"value="{{ }}" required>

#html hidden input rendering data

    <input type="hidden" name="name" class="form-control" placeholder="Your Name" value="Jhone" required=""> 
 <input type="hidden" name="email" class="form-control" placeholder="Your Name" value="" required=""> 

   <input type="hidden" name='userprofile' value="1">
  <input type="hidden" name="parent" id="parent_id" value="95">

The most import fields for me userprofile and parent . I want to prevent forms submitting if any hidden value change.

class CommentFrom(forms.ModelForm):
      captcha = CaptchaField()
      class Meta:
          model = BlogComment
          fields = ['name','email','comment','parent','sno','blog','user','userprofile']

if request.method == "POST":
       if comment_form.is_valid():
                isinstance =
                if request.user.is_authenticated:
                   isinstance.user = request.user
                elif not request.user.is_authenticated:
                   User = get_user_model()
                   isinstance.user = User.objects.get(username='anonymous_user')
       = blog
                messages.add_message(request, messages.INFO, 'Your Comment Pending for admin approval')
                return redirect('blog:blog-detail',slug=blog.slug)
           messages.add_message(request, messages.INFO, "your comment didn't submitted. please submit again ")
          comment_form = CommentFrom()

I think I need to be add validation in my or but how to do that for hidden input and hidden foreignkey fields I don’t know.

Couple different points here:

  • You can’t secure the browser. Period. You must always realize that the browser is not under your control and anything sent back to the server from the browser must be validated.

  • Identifying the individual who is posting data is better done through your authentication / authorization system using the session and request objects rather than trying to rely upon data within the form.

1 Like


I findout an solution. I implemented this in my views and it’s preventing forms submitting if user change the value of hidden input fields.

if request.POST['name'] != name:

            messages.add_message(request, messages.INFO, "your comment didn't submitted. please submit again ") 
            return redirect('blog:blog-detail',slug=blog.slug)

As you mention about session. how to use it for hidden input fields???

is there any way to take the value from session and put in hidden input fields???

Why do you think it’s necessary to do that? The purpose of storing data in sessions is to prevent you from needing to pass it back and forth to the browser.

1 Like

Okay…so the above solution will enough for prevent forms submitting if use chage the value of hidden input??? We don’t need sessions here.

You’re already (implicitly) using sessions. You have the line of code:

If you already have name in your view - and you know what the name should be, why are you making the browser send it back to you?

1 Like

I wanted to hide the hideen value or encrypt the value of hidden input. So user can’t see the value.

So the best way to do that is to not even send it to the browser.

1 Like

I am using hidden input fields for authenticated user. I don’t want they type their username email again if they are login. If I remove those hidden input then they need to be type their name and email for posting comment.

Right now I think this is the only solution for me for prevent forms submitting if they trying to cahge value of hidden input.

if request.POST['name'] != name:
What do you think? Is it secure?

Is it secure???
if request.POST[‘name’] != name:

It’s not necessary. There is no reason to send a hidden name field out to the client, because you already have it on the server.

If you don’t supply the name field to the client, there’s nothing for the client to see, nothing that can be changed, and nothing to be validated.

1 Like