Is it safe to have inputHidden variables in jsf

Question

I have a jsf page which have inputHidden fields whose values are flags to other functionalities (for instance conditional popup display,...) in my application. I want to know is it safe to have those values in hidden fields cant they be tampered in request or elsewhere

Answer 1

Like as every other non-readonly/non-disabled input, they can be tampered.

If that's a concern, store those values in a view scoped bean instead.

See also:

• How to choose the right bean scope?
• Difference between View and Request scope in managed beans