How to not reveal passwords in URL?

I have a form that returns a username and a password. When I log in, the URL momentarily changes to:
https://my-project-url.com/posts/login?username=USERNAME&password=PASSWORD

Is there any way to prevent the username and passwords from being revealed in the URL?

Is this a POST request or a GET request? Because I heard that POST request don’t show query params (e.g. ?USER=username&PASS=password).

1 Like

Putting passwords in the url (using GET) is not a very good idea. You should use POST requests instead.

On the client side, you can set up post, by adding the method atribute to your form.

On the server side, you can view this:

3 Likes

It’s an app.get thing.

1 Like

Sure, you can reveal it in the URL, but here’s why it’s a bad idea.

  1. When you are at a (let’s say, coffee shop) and you connect to their wholesome, free, totally secure wifi. If people can see your history there, its not a good idea!

  2. If it’s a shared computer with everyone getting rid of their history of doing bad stuff because they don’t want it there, sees that. Or if you just have some people who ransom your computer for your history (which never actually happens) or something like that

  3. It’s just not a good idea. Imagine if someone hit the 4000 limit…

You should only do it for passing data like (for example)

  • A product ID
  • An indicator if someone wants to log out or is
  • A user’s profile
1 Like

Just to be clear, add the username and password as the POST request body. Might have to use body-parser for handling POST request body content.

1 Like

How 'bout it does have the password in the url but it modifies it so that it’s not anymore, that’s what every website does with tokens

1 Like

How about encoding the username and password and then passing it along the URL?

2 Likes

yeah, if you are using a proxy the proxy operator can log your password. And if you’re not, your isp can log your password. And also the password will be in your browser history effectively forcing password remembering

2 Likes

If you use HTTPS, your isp can only see the domain.

For example, if you are on www.youtube.com/watch?v=dQw4w9WgXcQ over https, your ISP would only be able to see www.youtube.com

2 Likes

Pretty cool! Now I am a lot less worried :smiley:

1 Like