Hi Support,
Our pentest has reported 1 vulnerability on Password. They have found the value send over from browser is in plain text.
Is it possible to mask it or not showing in plain text?
Regards,
CK
Hello!
From the Vaadin documentation: PasswordField | Server-Side Components | Framework | Vaadin 8 Docs
You should note that the PasswordField hides the input only from “over the shoulder” visual observation. Unless the server connection is encrypted with a secure connection, such as HTTPS, the input is transmitted in clear text and may be intercepted by anyone with low-level access to the network.
It should be fine if you use HTTPS. The developer tools allow us to inspect the requests before they are encrypted. Browser does not store these requests, and they are only available while dev tools opened: Network features reference - Chrome Developers.
1 Like