3

I am creating a MEAN stack application.

I have noticed by chance that whenever I send the credentials of the user to the backend, I can "fish" it from the network option on the browser (F12). See image?

What is the fastest and simplest way to handle this?

What is the more well-elaborated approach?

enter image description here

jonrsharpe
  • 1,318
  • 2
  • 12
  • 17
Jorge Guerra Pires
  • 157
  • 6
  • I have noticed I was downvoted, sorry for the question! I am new here and no time to keep reading rules. really sorry. I have tried to delete the question, but I cannot, I hope this question does not bother you. – Jorge Guerra Pires Apr 23 '20 at 12:52
  • 3
    Don't take downvotes too personally, they are just a feedback mechanism, and the score will oscillate over time. It's helpful when downvoters leave a comment; but generally, unless the question is completely off-topic, it can usually be improved by making it more specific, or more focused on a more concrete SE/design/architecture problem. – Filip Milovanović Apr 23 '20 at 13:46
  • Hey there, thanks for the comment. Since I am new here, the first that came to my mind is that the question was out of focus. Stack Overflow has a similar mechanism. I usually upvote the questions that I believe was wrongly downvoted, initially, it was hard to me in stack overflow, and here also seems the same. Indeed, it would much helpful if the person left a comment, as so one can improve. – Jorge Guerra Pires Apr 23 '20 at 14:11

2 Answers2

15

Who can press F12 to see the password?

The person operating the web browser. Who is the same person who just entered that password.

That a user can see their own password in the browser developer tools is not by itself a problem, any "solution" to that is going to be useless snake oil.

An actual security problem only exists when other people who are neither the user nor the owner/admin of the server can see the password. And if the request is sent via plain HTTP, that is in fact the case.

The solution to that is HTTPS.

Which is exactly the reason why there has been an ongoing campaign by security experts for years to basically retire plain HTTP for user-facing websites:

Sidenote: encrypting the request in your application may make the password not decipherable when pressing F12, but will not solve the security problem, because the encryption key will be part of your application and delivered on demand to anyone visiting your website. HTTPS includes a mechanism for the server and client to agree on an encryption key to use for a session without letting any outsider see that key.

Michael Borgwardt
  • 51,037
  • 13
  • 124
  • 176
1

You must send credentials only to services running HTTPS to protect the data as it is sent to the server.

Jozef Izso
  • 144
  • 4