The application page contains a form with a password field. This form submits user data using the GET method; therefore the contents of the password field will appear in the URL. Sensitive information should not be passed via the URL. URLs could be logged or leaked via the referrer header.
need solution in Pega level.
***Edited by Moderator: Pallavi to update platform capability tags***
In normal pega form will do a post and will never do a get request.
From the image attachment i could see aadhar number is sent in /Get request for URL?pyActivity="Code-Security.-pzGeneratCaptcha" and it will be used only when you try to get a new captcha image ... either when u enter wrong credentials and do a submit or when u request for a new captcha image as pega downloads the image via the url response
In both the scenarios no sensitive information will be sent (Only current time will be sent in the url)
can you check the customization if any done for "Web-Login" HTML Rule ?