Apply CSS display:none or use if(false){content} to block content at clients?

Question

Approach 1: Using CSS display:none means that the content is sent to the client but is hidden from view. In other words; the content does exist but without occupying any space.

Approach 2: Using if(false){content} prevents the content from being sent to the client at all.

<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>Approaches</title>
    </head>
    <body>
        <div <?php if (true) {echo 'style="display:none;"';}?>>
          Approach 1
        </div>

        <?php if (false): ?>
            <div>
              Approach 2
            </div>
        <?php endif; ?>
    </body>
</html>

Which is regarded better in terms of security practices?

If both are secure, then which is regarded better in terms of performance and code design methodology?

For sure you should take in consideration that just not displaying a piece of code is a security issue, you either don't render that at all(second option), either you make it modular so each part should take care of it's own info. (Talking about MVC --> CodeIgniter since you are on php) — Dinca Adrian, May 26 '17 at 08:16

Ethan · Answer 1 · 2017-05-26T08:19:47.087

2

Definitely Approach 2

If you don't want the client to view your content, then not sending it to them at all is always better.

Approach 1 verdict:

If you send them the div's content, then they can always view your page's source and see it there, even though it's not shown to them on screen.

Approach 2 verdict:

Because the content is never sent to them in the first place, they can't see it even if they view source.

edited May 26 '17 at 08:19

answered May 26 '17 at 08:15

Ethan

4,295
4
25
44

1

It's php, if he goes second option php is already compiled and you won't see the div at all, not even a comment as it is in AngularJS. – Dinca Adrian May 26 '17 at 08:17
True @DincaAdrian I've updated my answer to include your comment. – Ethan May 26 '17 at 08:20

score 0 · Answer 2 · answered May 26 '17 at 08:21

For security practices, definitely for approach #2. Let's say your "hidden" div contains sensitive information that it's only ment for Admin level. If you simple put the CSS on display none, they can view the HTML content and see the sensitive information.

For performance practices, as far as I remember, your browser does render the hidden div, but doesn't show it. So the HTML is downloaded and parsed, but not shown.

I would go for the approach #1, if you want to show hidden div's when someone clicks on a certain button on that specific page. For example, if you have a "Read more..." button that should show the rest of the content (which in a separate div).

Apply CSS display:none or use if(false){content} to block content at clients?

2 Answers2

Linked