Https interaction between an Express service and static side

Hello Community,

I have a question regarding the interaction between an Express service I’ve built and a static web page. When I consume the service (e.g., the Login feature) from the static page, I noticed that I can read the password and username in plain text in the browser’s devtools within the request.

I’m puzzled because I thought that the connection should automatically be secured with TLS due to the use of HTTPS from .render.com.

Any insights or guidance on this matter would be greatly appreciated.

Best regards, patrick

Hey Patrick,

When you observe traffic via browser’s devtools, you’re looking at the data prior to its encryption for transport over HTTPS. In other words, browser devtools show you the unencrypted version of the data for your own inspection, because you’re on the “client side” of the transaction. However, when this data is actually sent over the internet, it is encrypted if you’re using HTTPS.

Hope that cleared some of your concerns.

Jérémy.
Render Support, UTC+3

Hi Jeremey!
Thank you, yes you could guide me, so to test the encryption, do I need to use something like wireshark?
Best regards
Patrick

Hey Patrick,

I’m unclear on what you aim to test regarding the encryption. If you’re uncertain about how to test it, it might be best not to. Can you clarify your objective?

Jérémy.
Render Support, UTC+3

Thank you very much!

I want to check if the encryption is functioning properly and whether I can use it as a service for public usage. I was surprised to see that I can view the password and username in the browser’s developer tools. On other websites where I log in, I don’t encounter this situation.

Hey Patrick,

Website authentication mechanisms can differ, but what you’re observing – your credentials being sent – is a typical behavior during the initial stage of a request. You’re essentially viewing the data before it undergoes encryption. It’s essential to note that these are your own credentials, and they need to be transmitted to the server for authentication.

To put this in perspective, if you attempt to log into dashboard.render.com and simultaneously open the dev tools, you’ll notice your credentials visible within the graphQL request directed to the server. This is a standard process, and the actual transmission is secure.

Jérémy.
Render Support, UTC+3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.