User and password appear on console after POST

2

The code below makes a POST of the data entered by the user in the login.

$http.post('api/v1/login', object).then(function (results) {
    return results.data;
});

Notice that I pass as an object an parameter that contains the data entered in the login:

//exemplo de um objecto após preencher os campos senha/login
{"customer":{"email":"[email protected]","password":"123456"}}

The problem is that when debugging in the Firefox console, I can see the email and password entered, see:

This does not raise security issues?

As the application is made with AngularJS, the page refresh does not exist, if you leave the console open, whoever uses the application on that computer will have the data exposed if you just log out and keep the browser open.     

asked by anonymous 31.10.2014 / 17:26

1 answer

2

When you make a post, these variables are not visible only on the console. The request that the browser makes goes through dozens of machines until it reaches the server. All machines can read the request.

If you log on to this system from a network, the network administrator can view the complete contents of the post through the access logs. And you can see your accesses in real time, with tools like Fiddler2 or Wireshark.

Ideally, you force the user to only access the login page with the link protocol, just like sites like GMail do. When you use link , post data is encrypted and can not be easily read by third parties along the path between the browser and the server. It is not 100% secure, but for most cases it is 99.999% safe.

Link will still be able to see the credentials in the browser console. But as Caputo said, if the user leaves the computer unprotected, the security flaw is the user, not the system.

    
31.10.2014 / 19:03