Question
Security issues after Pen test -Password field with autocomplete enabled
Hi,
Please find details for security issue during Pen test,
Description : Password field with autocomplete enabled.
Mitigation step :
"To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete=""off"" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance."
i checked the pdn for the same, but didnt get find anything.
Is it something that i can set the autocomplete attribute globally or any DASS settings? could you please advise on this?
Hi,
To disable autocomplete on login screen, we have customize the web-login html rule.
Please follow this PDN article to customize login screen.
https://pdn.pega.com/customizing-pega-7-login-screen
See this form tag in the web-login html which already has autocomplete="off" in it.
Ideally, the browser must not automatically complete entries/fields if we have this setting in form tag.
See https://www.w3schools.com/tags/att_form_autocomplete.asp
Even in my local, I am seeing that browser is still auto completing password/username field ignoring the autocomplete="off" setting in form field.
See below article which mentions that most of the modern browsers are ignoring this setting suggesting to use other setting which is autocomplete="new-password"
https://github.com/mailwatch/MailWatch/issues/383
https://stackoverflow.com/questions/12374442/chrome-browser-ignoring-autocomplete-off
Please customize the login screen by customizing the web-login html rule to solve the purpose.
This is nothing to do with any system setting or DSS. You have to customize the login screen.
Thank you,
Adithya