I want to know is there any way to prevent elements of HTML form from changing on client side before submit (the elements they have value, like hidden elements)?
Lets say I have hidden elements. I want to make sure their values haven't been changed by user in purpose.
Or what is HTML FORM Security Best Practice?
you can't make sure that the HTML content didn't changed at client side, but you can check the passed values at Server side.
Generally, you should make sure that your system is robust enough to handle any sort of malicious input. Assuming that you've taken care of that, if you still need to make sure the information hasn't been tampered with, then use an HMAC. Your web library or programming language should have some sort of routine for this built in.
No, there is no way to prevent the client from sending you arbitrarily manipulated or malformed requests. That's not just true for web apps, it's true for any app where you don't physically control the client.
Best practice is to expect that and deal with it. Specific mechanisms to do that include:
I suggest you try for yourself to see how trivial for a user to modify what is submitted by a form. The Tamper Data addon for firefox is exactly for this purpose.
Hidden fields are only visually hidden, they have no special protection from being modified before submission. Best practice is to validate everything that gets submitted - you can't asssume any client-side validation (eg Javscript, field lenghts) has been adhered to.