Is Blazor server side bind-value secure?
Can I bind entity model values in Blazor server side directly and secure? I'm starting worried, that client can in some way (with some tool) edit the communication message and set for example not "Age" but "Role" value in example below.
I see that there is some {"componentId":11, "fieldValue":88} in message, so maybe some other modified number for example {"componentId":12, "fieldValue":88} will set not "Age" but "Role"?
It seems that it's secure:
Server only receives an event with data when you register an event or bind to a value. That event is mapped to the delegate that gets registered in @onchange or @bind, so it can't change any other value.
A client could try to dispatch a random event to the server, but that will simply result in the payload being ignored (and I believe this is the case, the circuit terminating)
In general, the client can't make any change that the server is not explicitly allowing by defining specific event handlers.
In my experience, SSR Blazor properties are updated in ValueChanged delegates (This delegate is automatically created if you do a @bind-x or set an @onchange, @oninput, @onclick or any other event handler on an Html element ), so if no such delegate exist I can't see how that property can be updated from client code.
Answers from: https://github.com/dotnet/aspnetcore/issues/60159
If somebody has some other opinion - please discuss in comments.
- Radzen Blazor sidebar expanded doesn't work
- MainLayout and Sidebar rendermode in Blazor
- How to persist security in Blazor while prerendering
- Is Blazor server side bind-value secure?
- Updating global breadcrumbs in blazor
- Blazor InputText: conditionally rendering an attribute
- How can I declare an array for ChildContent RenderFragment
- Cannot convert lambda expression to intended delegate type because some of return types in block aren't implicitly convertible to delegate ret-type
- Static content and CSS isolation bundles from dynamically added Razor Class Library not working
- In a Blazor InteractiveAuto project with GPRC, how can the server communicate with itself with user authentication?
- Blazor .NET 9 web app with renderMode=Auto; clarification
- Blazor Web App 9 (Server / Gloabl) JWT Authentication
- Why isn't sibling component updating its content?
- How to setup Windows AD authentication in Blazor Server on .NET 9?
- How can a Blazor server side app redirect from http://hostname to http://hostname/route1 on load?
- NavigationError on NavigateTo
- How can I ensure immediate navigation to the Products page with a "Loading" label displayed while awaiting API data in a Blazor Server app?
- Confusing with the Blazor CSR
- How can i see which code is setting my components parameter property
- Handle EFCore Lifetimes in Blazor Server where Backend is used for REST API as well
- OIDC authentication in server-side Blazor
- Inconsistencies after Visual Studio Version 17.12.3 with Blazor program Error RZ9991, Error RZ10012
- Get email, phone, etc from OAuth2 login
- Blazor (Server Side) TextArea Fails With Long-ish Strings
- How to pass a RenderFragement<object> Template to a Blazor component
- How to import IConfiguration in Blazor server side razor component?
- HTML0003 Missing attribute name after upgrading to latest Visual Studio in Blazor project
- Notifications are not being shown when actions invoked via hotkey
- Get Current User in a component
- How to make webassembly component work in hosted Blazor web app project?