Replace HTTP GET with HTTP POST in IDP login.html

I am trying to replace all the HTTP GET with HTTP POST in the Login.html file. First of all I cannot find the login.html file and second of all, where do I go in CUBA to replace the HTTP GET with HTTP POST?


Please do not use Community How Tos category for questions. It is meant to be used for guides from community, not for questions.

Could you please clarify, what login.html are you talking about? There is no login.html in CUBA itself.

Why do you think that CUBA uses GET for requests?

When I deployed the application, I found the login.html being created under folder \deploy\tomcat\webapps\app\idp.

I ran a Fortify Security process and here is one of the items in the report:
“The form in login.html submits a password as part of an HTTP GET request on line 39, which will
cause the password to be displayed, logged, and stored in the browser cache.Submitting a password
as part of an HTTP GET request will cause the password to be displayed, logged, or stored in a cache.”
Avoid sending sensitive data, such as passwords, via an HTTP GET request. Sensitive data should
travel from the browser to the server using HTTP POST, not HTTP GET.

First of all, this page is used only if IDP functionality is enabled. It is disabled by default on the server-side. Second - it sends login and password using AJAX POST, you can easily check its code.

Standard Web Client sends all data using AJAX POST.

Thank you so much for the quick reply. I will disable it.

It is already disabled, what are you trying to disable?

I keep getting dinged by the Fortify on Demand
Security Review for what it finds in the login.html file. I need to do something not to allow CUBA to generate that file so I can pass that security review. Fortify sees the HTTP GET in that file as a security vulnerability.

Your tool shows false positive results, open the file and check it manually. Form is sent using POST only.

I can’t even find POST in the code behind the form.

Check login.js file (line 44):

    type: "POST",
    url: "auth",
    data: JSON.stringify({
        username: $('.form-username').val(),
        password: $('.form-password').val(),
        serviceProviderUrl: serviceProviderUrl,
        responseType: responseType,
        locale: selectedLocale

Thank you so much for your help! I was able to figure it out and indeed it was a false positive as you suggested.