Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is passing password from server to browser in javascript variable over https secure?

Tags:

javascript

security

https

Following is our page flow,

  1. User is at Login page accessing via https.
  2. User enters password and page is submitted (POST method).
  3. User credentials is not authenticated now instead server response with some polling page(https).
  4. In order to retain the password on poll page, password is passed from server to browser via Javascript variable and onsubmit of poll page, password is passed via POST method. Now server authenticates the user credentials.

Question: Is passing password from server to browser in javascript variable over https secure?

My opinion

  • Entire transaction between the browser and server is via https and password is passed via POST method - so password is SECURE.
  • The password is visible via "view page source" since it is assigned to a javascript variable - NOT SECURE if browser plug-in has access to the page content. But if browser plug-in has access to page content then it can even access the password while user enters it, so NO new threat is introduced by this flow.

Note

  • I know their is better way to handle this flow. But I am interested in whether our existing flow is secure or not.
  • Any reference to security tips will be helpful.
like image 801
Barath Avatar asked Dec 02 '25 18:12

Barath

1 Answers

The bigger issue is best practice - you just don't need to do it, and it's bad practice. This would indicate a poor understanding of security overall - it's a best practice to not store the password in plaintext ever. If your programmer coworkers do not give proper credence to this concept, then I would suggest they may have other areas they are lax in observing, security-wise.

Security is a mindset, not a lowest common denominator. It's about giving as few opportunities for compromise as possible, giving as little wedge room as possible.

Not storing plaintext passwords is what you should do, not "store them when we want unless someone can prove it's bad".

This interest in "harmless failures" – cases where an adversary can cause an anomalous but not directly harmful outcome – is another hallmark of the security mindset. Not all "harmless failures" lead to big trouble, but it's surprising how often a clever adversary can pile up a stack of seemingly harmless failures into a dangerous tower of trouble. Harmless failures are bad hygiene. We try to stamp them out when we can.

http://freedom-to-tinker.com/blog/felten/security-mindset-and-harmless-failures

like image 136
Jared Farrish Avatar answered Dec 05 '25 09:12

Jared Farrish
Sign in to Comment

Related questions

How to have both prototype and non-prototype object literals alongside constructor function?
javascript Welcome modal only disappears partially
HTML5 canvas text anti-aliases in chrome, not in firefox
Connecting notepad++ with browser textarea directly
vue-tables-2 emit page number to parent component
Simple React Snippet Not Working
React onWheel handler can't preventDefault because it's a passive event listener
Difference forRoot and forFeature [Nest JS]
Prevent page flash in Next.js 12 with Tailwind CSS class-based dark mode
Preventing Users to view my JavaScript source file
javascript de-anonymizing a click function
Can I move a decimal in javascript without math?
Tracking Computers in an Online Game
changing stack order of jQuery UI modal dialogs
Is it possible to write an FireFox extension to open local drive folder from FireFox in windows os?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!