Documentation - V-222601

V-222601

Application Security and Development Security Technical Implementation Guide

CAT I

Title

The application must not store sensitive information in hidden fields.

Description

<VulnDiscussion>Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk. However, hidden fields are not secure and can be easily manipulated by users. Information requiring confidentiality or integrity protections must not be placed in a hidden field. If data that is sensitive must be stored in a hidden field, it must be ...

Fix Text (Documentation Requirement)

Design and configure the application to not store sensitive information in hidden fields. Encrypt sensitive information stored in hidden fields using DoD-approved encryption and use server side session management techniques for user session management.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel