How can I protect the user password?

Question

I am creating a MEAN stack application.

I have noticed by chance that whenever I send the credentials of the user to the backend, I can "fish" it from the network option on the browser (F12). See image?

What is the fastest and simplest way to handle this?

What is the more well-elaborated approach?

Answer 1

Who can press F12 to see the password?

The person operating the web browser. Who is the same person who just entered that password.

That a user can see their own password in the browser developer tools is not by itself a problem, any "solution" to that is going to be useless snake oil.

An actual security problem only exists when other people who are neither the user nor the owner/admin of the server can see the password. And if the request is sent via plain HTTP, that is in fact the case.

The solution to that is HTTPS.

Which is exactly the reason why there has been an ongoing campaign by security experts for years to basically retire plain HTTP for user-facing websites:

• https://doesmysiteneedhttps.com/
• https://www.eff.org/https-everywhere
• https://letsencrypt.org/

Sidenote: encrypting the request in your application may make the password not decipherable when pressing F12, but will not solve the security problem, because the encryption key will be part of your application and delivered on demand to anyone visiting your website. HTTPS includes a mechanism for the server and client to agree on an encryption key to use for a session without letting any outsider see that key.

Answer 2

You must send credentials only to services running HTTPS to protect the data as it is sent to the server.