I have a form that returns a username and a password. When I log in, the URL momentarily changes to:
https://my-project-url.com/posts/login?username=USERNAME&password=PASSWORD
Is there any way to prevent the username and passwords from being revealed in the URL?
Is this a POST request or a GET request? Because I heard that POST request don’t show query params (e.g. ?USER=username&PASS=password).
Putting passwords in the url (using GET) is not a very good idea. You should use POST requests instead.
On the client side, you can set up post, by adding the method atribute to your form.
On the server side, you can view this:
It’s an app.get thing.
Sure, you can reveal it in the URL, but here’s why it’s a bad idea.
When you are at a (let’s say, coffee shop) and you connect to their wholesome, free, totally secure wifi. If people can see your history there, its not a good idea!
If it’s a shared computer with everyone getting rid of their history of doing bad stuff because they don’t want it there, sees that. Or if you just have some people who ransom your computer for your history (which never actually happens) or something like that
It’s just not a good idea. Imagine if someone hit the 4000 limit…
You should only do it for passing data like (for example)
Just to be clear, add the username and password as the POST request body. Might have to use body-parser for handling POST request body content.
How 'bout it does have the password in the url but it modifies it so that it’s not anymore, that’s what every website does with tokens
How about encoding the username and password and then passing it along the URL?
yeah, if you are using a proxy the proxy operator can log your password. And if you’re not, your isp can log your password. And also the password will be in your browser history effectively forcing password remembering
If you use HTTPS, your isp can only see the domain.
For example, if you are on www.youtube.com/watch?v=dQw4w9WgXcQ over https, your ISP would only be able to see www.youtube.com
Pretty cool! Now I am a lot less worried 
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.