I am doing a password manager web app (like LastPass etc), one of the things that has occurred to me is that after using PHP to retrieve the passwords from a db and decrypting them and then using JS to display them in the UI, the variables containing their passwords are visible if someone looks at the source code. Even if I did not use JS and used echo instead it would still be in the source code. Does anyone know of a, hopefully not too complex, way that can prevent the passwords from being in the source code?
Advertisement
Answer
If you’re talking about the HTML source code, this is normal. But there is a few way to avoid it:
- If you just want not to have it in your HTML when it is received by the user, then you can implement it via an Ajax request in javascript, to update the DOM with the text.
- If you want that when the user do
inspecton the page he doesn’t see the password you can use aninputand set in javascript the value of it. then you set the input asdisabledso the user cannot modify it. You can even change the type as password when needed so it’s displayed as******when you want to hide it. - Another way could be to add in javascript a css
:afterand tu put the value inside it. But it will still be visible somewhere I think.