Rephrase security section for hidden inputs#44564
Conversation
I found the phrasing "pretty much any reputable server-side framework" to be opinionated in a slightly negative way, so I replaced that phrasing, then I reorganized the entire section and attempted to make it sound more neutral and professional in general.
github-actions
Bot
added
Content:HTML
|
Preview URLs (1 page) (comment last updated: 2026-06-25 14:22:12) |
|
We now have a whole page on CSRF, including a section on CSRF tokens: https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF#csrf_tokens. In my opinion it's better just to point to that page, than to try to summarise how CSRF and CSRF tokens work - I don't really think it's possible to summarise this in a way that's comprehensible and correct, so to understand it you have to read the full version anyway. So would be better, here, to say something like: "a common use of hidden fields is as CSRF tokens, which help protect websites against CSRF attacks". |
| Hidden inputs may also be used to store and submit security tokens (or _secrets_) for the purposes of improving website security. For example, this technique can help prevent a type of attack known as a [Cross Site Request Forgery (CSRF)](/en-US/docs/Learn_web_development/Extensions/Server-side/First_steps/Website_security#cross-site_request_forgery_csrf). Many server-side frameworks use hidden secrets to prevent such attacks. | ||
|
|
||
| This would stop a malicious user from creating a fake form, pretending to be a bank, and emailing the form to unsuspecting users to trick them into transferring money to the wrong place. This kind of attack is called a [Cross Site Request Forgery (CSRF)](/en-US/docs/Learn_web_development/Extensions/Server-side/First_steps/Website_security#cross-site_request_forgery_csrf); pretty much any reputable server-side framework uses hidden secrets to prevent such attacks. | ||
| The basic idea is that if a user is filling in a sensitive form, such as a form on a banking website to transfer money, the data within the hidden input would prove both that they are who they say they are and that they are using the correct form to submit the transfer request. This would stop malicious users or bots from submitting a fake version of the form. |
There was a problem hiding this comment.
I'm not sure how a CSRF token proves that the user is "who they say they are". AIUI it helps ensure that the page containing the form was really served by the legitimate server, and isn't on a malicious site.
This is also not quite right:
This would stop malicious users or bots from submitting a fake version of the form.
In CSRF, malicious users don't submit fake forms. The real user submits the fake form - that's why it's a problem (because it contains the real user's cookies).
Like I say, it's hard to explain this correctly, concisely, and comprehensibly, so I think it is better just to link to the guide page, where we have the space to explain it properly.
There was a problem hiding this comment.
Completely agree with you. I was not confident enough in my own understanding to change that phrasing about proving identity.
In pointing to this page then, the whole section becomes two short sentences. Does it still need its own section at that point? I'll go ahead and try to update the PR if so. Otherwise we can move these details about security on the page if you agree with me.
Thank you for the feedback!
There was a problem hiding this comment.
Yeah, it's a good question. I think it is probably worth keeping the section on this page even when it is very short, just to have it clearly signposted. And otherwise we get structural problems here, because Tracking edited content wants to be its own section, so then where do you put the security use case?
But sometimes this is the kind of thing you have to see, to get a feeling about whether it is sensible or not.
BTW I didn't say this before but I should have, or it sounds like I'm only complaining: I agree with your original motivation for making this change, and think this is an improvement. So, thank you!
Also removed any notes throughout the page saying that the field cannot be edited.
github-actions
Bot
added
size/s
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
3 participants
Description
Clarify the security section on the docs about the hidden input type.
Motivation
I found the phrasing "pretty much any reputable server-side framework" to be opinionated in a negative way, so I replaced that phrasing first. Then I reorganized and clarified both paragraphs in that section and attempted to make it sound more neutral and professional in general.