Autocomplete Attribute Not Disabled for Password Fields in Login Forms #44019
Comments
MarBed190
added
kind:feature
|
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval. |
|
I think it might just be an update to I might be interested in this :) |
romsharon98
removed
the
needs-triage
|
I think this is something that can be worth fixing to improve the security posture of airflow. Feel free to work on this @geraj1010 cc @bbovenzi |
|
@amoghrajesh Okay sounds good. |
…f for username and password input elements on AUTH_DB login page
Description
Currently, the password input fields in Apache Airflow's login forms do not have the autocomplete attribute set to off. This allows browsers to store passwords entered by users, which poses a potential security risk—especially when accessing Airflow from shared or public computers. To enhance security and adhere to best practices for handling sensitive information, the autocomplete attribute should be disabled for all password fields in form-based authentication.
Use case/motivation
As an employee responsible for the security of our corporate IT systems that utilize Apache Airflow, I want to enhance the protection of user credentials by disabling the autocomplete feature on password fields. This change will make our systems more secure for all users by preventing browsers from storing sensitive passwords, which could be exploited if a device is compromised or shared. Additionally, implementing this fix will ensure that our automated security scanners no longer flag this issue, helping us maintain compliance with our organization's security policies and reducing the overhead of managing reported vulnerabilities.
Related issues
No response
Are you willing to submit a PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: