html5输入“必需”是一种安全的验证技术吗？

Question

I am concerned about web security and the use of the HTML5 required word on input tags. I am trying to use it as part of 'form input validation'. Is the use of the HTML5 'required' on input tags something that is reliable for validation or is it easily manipulated by a user trying to bypass the input field requirement.

I have searched for information on html security and found little on this.

Thanks

Answer 1

In short, the answer is no, client side code is not a safe place to rely on security checks.

The method of using required provides the user with feedback and allows for a nicer user interface, but for security you will want to perform fidelity checks on all data passed over to the server side, how that is done depends on your backed architecture.

To answer your question in the comments, the required attribute is there to prevent the form being submitted without the field being complete, this is however purely to help the user know it is required. If you have a hacker simply remove the required attribute from the markup, then they're up to no good anyway and that's where a backend check will save you.

Answer 2

In my Opinion it is not an effective method. Required attribute can easily be changed using inspect element on that field on the browser. The main thing here is to keep in mind that all client side validation is your first line of defense but most of the time you need an extra layer to check on your server side. I could make an http post request to the action field of your form without using your form at all with tools like postman (chrome extension) if your server doesnot have extra validation then you are not safe.