-2

I'm learning to use a payment method via SCI. and for that I have to send a POST/GET request to The SCI.

everything is working fine. the payment goes well. but when I open the page and inspect it, I can see The input fields of the form. (type-->hidden) then using the edit HTML I can change the amount as you can see in the image bellow
edit HTML 

<input type="hidden" name="amount_USD" value="60" readonly>

the readonly does not do the job! how can I make HTML Code unchangeable. or if there is any alternative way to code this in a more secure way.

Igzo
  • 57
  • 9

2 Answers2

3

You can never make client side code completely protected, because there are many tools one can use to manipulate the files. Anything from browser extensions to developer tools can do this. Code that can be modified includes HTML, CSS, and client-side JavaScript.

If your app/website relies on this type of security, it will never be completely secure.

Chrome Dev Tools is only one example of a way some could maliciously use your app. You should evaluate your security practices from the back end to front end.

luxdvie
  • 902
  • 8
  • 16
  • 1
    You are totally right. But be careful when saying JavaScript, since there is server side javascript (i.e. node.js) too. Also never trust user input, always remember that and do your validations :) – Manuel Mannhardt Sep 19 '17 at 18:39
1

There is nothing you can do to prevent the user from being able to edit the HTML on client (browser). You should implement server side validation to reject invalid data.

You can read more about it here: JavaScript: client-side vs. server-side validation

In this particular case, you could do something that rejects the amount received from client if it doesn't match on the server. Or, do not receive the amount from the client at all, if the client should not be able to change it.

Nisarg Shah
  • 14,151
  • 6
  • 34
  • 55