Security risk - Sign in credentials visible in HTTP request

Question

Security risk - Sign in credentials visible in HTTP request

11

We all know, and probably use, the out of the box Mendix feature to sign in as a technical user. Described in following post: enabling-security-and-adding-a-login-page.

When testing the security of this out of the box Mendix feature, I was able to see the entered username and password unencrypted (see image below). It would be nice to see that these credentials are encrypted.

It might be possible to encrypt the credentials yourself in a nanoflow and use the sign in activity. But I would expect the out of the box Mendix feature to be secure.

When signing in with SSO, I'm not able to find my credentials in any HTTP requests. So SSO sign in should be secure!

asked 2024-03-27

Cedric Baert

1 answers

Jasper van de Peppel · Answer 1 · 2024-04-11

Hello Cedric,

as this would be communicated over a HTTPS connection, username and password are encrypted during transit. This is industry standard and any encryption done at the client before sending this information to the server would not add any significant level of security.

If you have any more specific questions on this, please reach out to me on the Mendix Community Slack.

Regards,

Jasper van de Peppel

Director Product Security