@thewk You can't prevent him from altering the HTML, but if he doesn't know what to alter it to, you can at least verify whether it has been altered.

For example, your server evaluates the answers submitted, and decides that the score was 68. It gives a results page saying:
User = Alice Cheatypants
Score = 68
Verification Code = 51ef2c256b08

Internally it calculates the verification code by concatenating "Alice Cheatypants" + "68" + "my_super_secret_password" and performing some cryptographic hash. As long as "my_super_secret_password" never leaves your server, the user can't know what the hash should be for "Alice Cheatypants" + "100" + "my_super_secret_password". So if the user edits the HTML so it says "100", you can compute what the hash should have been, note the mismatch, and flag the screenshot as invalid. And because it has the username as part of the plaintext, Alice can't just ask Bob what his verification code was, then edit her score and code to match his.

Note that this means the scoring of the test has to be done server-side. If you allow the user to tell you his *score* rather than his *answers* you completely negate the benefits because he can just tell the server to give him the code matching a higher score.