Question

3
Replies
169
Views
MichaelG7231 Member since 2019 4 posts
General Motors
Posted: 4 months ago
Last activity: 4 months 3 weeks ago
Solved

How to set autocomplete="off" for Pega password field

We are on Pega Platform 8.4 on Kubernetes in an OnPrem cloud.

Our security scan flagged that the password text field to log in to Pega allows the browser to save/autofill the credentials and they've asked us to disable it.  Is this possible and how would we do it?

Below are the details from the scan.  Are we able to add the autocomplete="off" to that field somehow?

Thanks, Mike

 

Threat

An HTML form that collects sensitive information does not prevent the browser from prompting the user to save the populated values for later reuse. Autocomplete should be turned off for any input that takes sensitive information such as credit card number, CVV2/CVC code, U.S. social security number, etc.

Impact

If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user.

Solution

Add the following attribute to the form or input element: autocomplete="off" This attribute prevents the browser from prompting the user to save the populated form values for later reuse. Most browsers no longer honor autocomplete="off" for password input fields. These browsers include Chrome, Firefox, Microsoft Edge, IE, Opera However, there is still an ability to turn off autocomplete through the browser and that is recommended for a shared computing environment. Since the ability to turn autocomplete off for password inputs fields is controlled by the user it is highly recommended for application to enforce strong password rules.

 

 

***Edited by Moderator Marissa to update Platform Capability tags****

Pega Platform 8.4 Decision Management Security
Share this page LinkedIn