Which HTML attribute can not be modified?

It does not exist, it's not really just HTML, it's anything, every time you depend on a client you're vulnerable, so you should never trust anything that comes from the client, everything may come unexpectedly. Never trust the client !

Imagine that in most of the existing software, mainly web only work by coincidence, because in general nobody moves, it is rare the programmer who validates all data entries and only accepts what is really appropriate.

Non web applications make it difficult to do a little more because it requires a technical knowledge that few have, but for the web, anyone curious can detonate their application.

Think about the difference between whether a person accesses a id from their normal page or Dev Tools? Is there a situation where the person can not access this id ? Ensure on the server that this is not possible. There is no other way.

And make sure the server is not vulnerable. Ensure that the submission can not be compromised, otherwise the server will not be secure.

There's no way around it. If the client changes a code that will be sent to the server, it is the server that should validate: check if the value exists, if the received value is valid, if the client that sent it had authorization for that, etc etc ... < p>

But it's always good to pre-validate frontend as well, since it saves requests to the server.

In your example, if the guy swaps id = 10 to id = 12, for example, and in the normal way that does not make a difference, he will only be trading 6 per half-dozen. Now, if he swaps id = 10 for id = 13 and the value "13" is not included in the values this user can tinker with, his backend should know this and prevent the script from proceeding.