I'm trying to ensure that when a user enters their password to log in, it doesn't appear in the payload of the request. In the backend, I'm using express.js and encrypting passwords with bcrypt. In the frontend I'm using solid.js How can I make sure the password doesn't appear if I look in the devtools?
What I can see in devtools right now
I've tried hashing them on the frontend and sending them to the backend, but what it receives is not the same. I've also looked into JWT, but I'm not sure if it's closely related to this... I just want it to logically validate if the user is correct and their password is correct to access the application, but without the password being discoverable if someone accesses the devtools.
As commenters have said, the fact that a password appears in plaintext in the payload is not a security issue - as long as you're using https.
But if you are concerned about the password:
then there is a way to prevent the transmission of the user's plaintext password to the server.
Unfortunatley it means you'll have to abandon bcrypt entirely; since under SRP a hash of the password is useless.
The usual way around that is to:
But a better version is to just use https, and tell regulators, auditors, managers, and governments it is not a problem.
