Is it safe to leave crucial information in a hidden input in HTML?
Can I leave, for example, the ID of a user q I will do select in hidden, and use it (the id) without having to confirm that that ID belongs to the logged in user?
In other words, can the user change the input hidden?
2 answers
Everything on the client machine is manipulable. Everything you receive from outside your server is unreliable. If your server is not absolutely secure nor can your code be trusted (an absurd amount of servers are hacked for months or years and people don't know why they think it's easy to mess with it and that the hack will be apparent, good attackers won't let you notice).
If your system depends on quality of information coming from the outside to work it is very wrong. No one even needs your page to send inappropriate things to your server, and anything he can ask for and you decide to deliver he will have access.
The only thing that the hidden element of the form does is not show the information on the screen, but it is there in an extremely free way, but as said above, it does not even matter if it is hidden or not, you just have dropped the information in some way it is available.
Your Vision is completely misguided, you don't need a browser to do any of this. The invasions are made because there are people who understand how technology works and so many millions who do not understand and leave everything vulnerable. People think they can make websites functional and safe just by writing a few codes. The amount of knowledge required is enormous and more profound than coding something.
Is id classified information? I doubt it, but if it is can not pass it no one. If your system depends on the secrecy of id your application must have something very wrong.
If your system lets outside people do anything they shouldn't just because they know the id your system is very wrong. Who gives security to your system is you coding properly and understanding all kinds of attacks that can be done. Will you confirm what? If you don't have a trusted authentication and authorization system, you don't have what confirm.
An example, some 80 or 90% of the codes that people post here that have a query suffer from SQL Injection, We (some of us, others don't even care) teach the right thing and the person keeps doing wrong. Most have not even heard the term that is only the most obvious type of attack.
Good... if this ID is considered a sensitive information, the correct thing is not to manipulate it through elements in HTML, since it can be found when trying to inspect the page. If you are a more experienced user who knows about browser devTools, yes, you can change the hidden input. The correct would be to manipulate this information through the server or even JavaScript, without associating exactly with an HTML input. Another solution would be to put as a parameter in the url (if it's not sensitive information, of course).