Login password appears in the clear in the request headersLogin password appears in the clear in the request headershttps://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785333&threadId=885725852024-03-28T10:34:33Z2024-03-28T10:34:33ZRE: Login password appears in the clear in the request headersOlaf Kockhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1139668692019-06-12T11:23:08Z2019-06-12T11:23:08Z<div class="quote-title">Chanakya P:</div><blockquote><br />Hi Team,<br />Am also facing same issue even my site having https.<br />How to disable logged user credentials from Headers?<br />Can any one help out.</blockquote>What's wrong with the answer here, and the one <a href="https://liferay.dev/forums/-/message_boards/message/113960499">that I gave yesterday</a>?Olaf Kock2019-06-12T11:23:08ZRE: Login password appears in the clear in the request headersChanakya Phttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1139665302023-01-24T06:25:47Z2019-06-12T11:00:32ZHi Team,<br />Am also facing same issue even my site having https.<br />How to disable logged user credentials from Headers?<br />Can any one help out.Chanakya P2019-06-12T11:00:32ZRE: Login password appears in the clear in the request headersMashuk Choudhuryhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=889658302017-05-02T14:52:28Z2017-05-02T14:52:28Z<blockquote><br />I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.</blockquote><br /><br />So the problem was that the user credentials were being transmitted over http rather than https. So transmitting over https will be sufficient to resolve this. <br />Thanks to everyone who posted to this thread.Mashuk Choudhury2017-05-02T14:52:28ZRE: Login password appears in the clear in the request headersOlaf Kockhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=886210332017-04-21T12:18:06Z2017-04-21T12:18:06Z<blockquote>When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment. </blockquote><br /><br />I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.Olaf Kock2017-04-21T12:18:06ZRE: Login password appears in the clear in the request headersMashuk Choudhuryhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=886107122017-04-21T08:25:36Z2017-04-21T08:25:36Z<div class="quote-title">Olaf Kock:</div><blockquote><br />Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?<br />There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.</blockquote><br /><br />When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.Mashuk Choudhury2017-04-21T08:25:36ZRE: Login password appears in the clear in the request headersOlaf Kockhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=885709272017-04-20T15:19:34Z2017-04-20T15:19:34Z<div class="quote-title">Mashuk Choudhury:</div><blockquote>I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.</blockquote><br /><br />Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?<br /><br />There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.Olaf Kock2017-04-20T15:19:34ZRE: Login password appears in the clear in the request headersPankaj Kathiriyahttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=885727642017-04-20T15:18:14Z2017-04-20T15:18:14ZAFAIK, this happens with every other web-sites.<br />One possible solution can be encrypt/hash password field(using javascript before form submit) and decrypt/unhash it (before actual authentication happens).Pankaj Kathiriya2017-04-20T15:18:14ZLogin password appears in the clear in the request headersMashuk Choudhuryhttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=885725842017-04-20T15:02:39Z2017-04-20T15:02:39ZHi,<br />In our organization, our security teams have scanned a number of websites which are hosted on Liferay 6.2 GA5 CE and their scanning tools have picked up on the fact that the login password can be seen in the clear when using something like Chrome Developer toolbar. We are using the default authentication model from Liferay. <br /><br />In order to see this, I open a Chrome browser and enable the developer tools and go to the Network option and then I navigate to a login page of a Liferay hosted