Firebase request url showing username and password in request payload in network tab

Question

Sign up page using firebase is showing username and password in network tab. Is there any way that I can send the user information to firebase more securely(like hashed one). enter image description here

In the firebase auth docs ( https://firebase.google.com/docs/reference/rest/auth ) ,it has been mentioned the same that email and password would be send as string !! Not sure if its a secure way or is there anything else that I am missing here.

This would be fine since the request is made over HTTPS so the request payload would be encrypted anyway. — JoshuaRDBrown, Sep 09 '21 at 11:28
I understand in the HTTPS it would be secure but that doesnt seems to help since still it would be visible in the network tab. :( — Sreejith Narayanankutty, Sep 09 '21 at 11:31

Frank van Puffelen · Accepted Answer · 2021-09-09T13:41:32.893

The only person who can see the network tab on your browser is you and anyone around you, so the security risk on that end is only as big as you choose to make it.

The password is sent from your browser to the server in cleartext over a secure connection. There is no way for anyone along the way to intercept that, unless they've hacked into the network (like with a fake certificate) in which case the leaked password is probably not your biggest problem.

On the server the password is salted and hashed before it is stored, so there's no risk there either.

Also see:

Email & Password login security (on the Firebase mailing list)
Is firebase JavaScript SDK secure over network?
Does Firebase Authentication store hashed and salted passwords?

Firebase request url showing username and password in request payload in network tab

1 Answers1

Linked

Related