Article Categories

Selected Reading

How to hide credential information form URL while submitting the HTML Form?

HTML Web Development Front End Technology

In today's digital landscape, web applications often require users to provide sensitive information, such as usernames and passwords, through HTML forms. When submitting a form using the GET method, the default behavior includes this information as part of the URL. However, exposing credentials in the URL can pose significant security risks, as the information becomes visible in browser history, server logs, and can be easily intercepted.

To mitigate this risk and enhance the security of web applications, it is essential to understand how to hide credential information from the URL while submitting HTML forms. In this article, we will explore various techniques and best practices to achieve this goal, ensuring the protection of sensitive data.

Overview of the Problem

When a user submits an HTML form using the method="GET", the data is sent as part of the URL in what is known as the query string. For example, consider a login form where the username and password are submitted using the GET method

https://example.com/login?username=johndoe&password=secretpassword

In this case, the credentials "johndoe" and "secretpassword" are visible in the URL, potentially compromising the security of the user's account.

Exposing credentials in the URL poses several risks. First, the URL with the sensitive information may be stored in browser history, making it accessible to anyone with access to the user's device. Additionally, server logs and analytics tools might record the URL, leaving the credentials vulnerable to unauthorized access. Lastly, if the URL is transmitted over an insecured network, it can be intercepted by malicious actors.

To address these risks, it is crucial to employ techniques that prevent credential information from being visible in the URL during form submission.

Using the POST Method

The most fundamental technique involves utilizing the POST method instead of the default GET method for form submissions. When using the POST method, the form data is sent as part of the request body rather than appending it to the URL. This provides an added layer of security as the sensitive information is not exposed in the URL.

Example

Here's an example of an HTML form using the POST method

<!DOCTYPE html>
<html>
<head>
   <title>Secure Login Form</title>
</head>
<body style="font-family: Arial, sans-serif; padding: 20px; background-color: #f9f9f9;">
   <div style="max-width: 400px; margin: 0 auto; background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1);">
      <h2 style="text-align: center; color: #333; margin-bottom: 30px;">Login</h2>
      <form action="submit-form.php" method="POST">
         <div style="margin-bottom: 20px;">
            <label for="username" style="display: block; margin-bottom: 5px; font-weight: bold;">Username:</label>
            <input type="text" id="username" name="username" required style="width: 100%; padding: 10px; border: 1px solid #ddd; border-radius: 4px;">
         </div>
         <div style="margin-bottom: 20px;">
            <label for="password" style="display: block; margin-bottom: 5px; font-weight: bold;">Password:</label>
            <input type="password" id="password" name="password" required style="width: 100%; padding: 10px; border: 1px solid #ddd; border-radius: 4px;">
         </div>
         <input type="submit" value="Login" style="width: 100%; padding: 12px; background-color: #007bff; color: white; border: none; border-radius: 4px; font-size: 16px; cursor: pointer;">
      </form>
   </div>
</body>
</html>

In this example, the form's action attribute specifies the endpoint where the form data will be submitted. The method attribute is set to "POST" to indicate that the form should be submitted using the POST method. The form fields, such as the username and password, will be included in the request body rather than the URL.

Implementing Server-Side Handling

Another approach involves handling the form submission on the server-side. Instead of directly submitting the form data to another URL, the form data is sent to a server-side script that handles the data securely. This allows for custom validation, processing, and storage of the credentials without exposing them in the URL.

The server-side script can be implemented in various programming languages such as PHP, Node.js, or Python, depending on your application's backend technology. Within the server-side script, you can access the submitted form data and perform the necessary operations securely.

Example

Here's an example using PHP as the server-side language

<?php
   if ($_SERVER['REQUEST_METHOD'] === 'POST') {
      $username = $_POST['username'];
      $password = $_POST['password'];
   
      // Validate input
      if (empty($username) || empty($password)) {
         echo "Username and password are required.";
         exit;
      }
   
      // Hash password for comparison
      $hashed_password = password_hash($password, PASSWORD_DEFAULT);
   
      // Perform authentication logic here
      // Check against database, validate credentials
   
      // Redirect to dashboard on success
      header("Location: dashboard.php");
      exit;
   }
?>

In this example, the PHP script checks if the request method is POST, indicating that the form has been submitted. The script then retrieves the values of the username and password fields from the $_POST superglobal array and performs the necessary validation and processing operations.

Implementing AJAX Requests

AJAX (Asynchronous JavaScript and XML) allows for submitting form data asynchronously without the need for a page reload. This technique can be utilized to hide credential information by sending the form data in the background using JavaScript, ensuring credentials never appear in the URL.

Example

Here's an example using JavaScript and the jQuery library for AJAX form submission

<!DOCTYPE html>
<html>
<head>
   <title>AJAX Login Form</title>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
   <script>
      $(document).ready(function() {
         $('#loginForm').submit(function(event) {
            event.preventDefault();
   
            var formData = $(this).serialize();
            var submitBtn = $('#submitBtn');
            var messageDiv = $('#message');
   
            // Disable submit button during request
            submitBtn.prop('disabled', true).val('Logging in...');
   
            $.ajax({
               url: 'submit-form.php',
               method: 'POST',
               data: formData,
               success: function(response) {
                  messageDiv.html('<p style="color: green;">Login successful! Redirecting...</p>');
                  setTimeout(function() {
                     window.location.href = 'dashboard.html';
                  }, 1000);
               },
               error: function(xhr, status, error) {
                  messageDiv.html('<p style="color: red;">Login failed. Please try again.</p>');
                  submitBtn.prop('disabled', false).val('Login');
               }
            });
         });
      });
   </script>
</head>
<body style="font-family: Arial, sans-serif; padding: 20px; background-color: #f5f5f5;">
   <div style="max-width: 400px; margin: 50px auto; background: white; padding: 30px; border-radius: 8px; box-shadow: 0 2px 15px rgba(0,0,0,0.1);">
      <h2 style="text-align: center; color: #333; margin-bottom: 30px;">AJAX Login</h2>
      <form id="loginForm">
         <div style="margin-bottom: 20px;">
            <label for="username" style="display: block; margin-bottom: 5px; font-weight: bold;">Username:</label>
            <input type="text" id="username" name="username" required style="width: 100%; padding: 10px; border: 1px solid #ddd; border-radius: 4px;">
         </div>
         <div style="margin-bottom: 20px;">
            <label for="password" style="display: block; margin-bottom: 5px; font-weight: bold;">Password:</label>
            <input type="password" id="password" name="password" required style="width: 100%; padding: 10px; border: 1px solid #ddd; border-radius: 4px;">
         </div>
         <input type="submit" id="submitBtn" value="Login" style="width: 100%; padding: 12px; background-color: #28a745; color: white; border: none; border-radius: 4px; font-size: 16px; cursor: pointer;">
      </form>
      <div id="message" style="margin-top: 15px;"></div>
   </div>
</body>
</html>

In this example, we attach an event handler to the form's submit event using jQuery. When the form is submitted, the event handler prevents the default form submission behavior using event.preventDefault(). The form data is then serialized using $(this).serialize() to retrieve all form field values. Finally, an AJAX request is made to the specified URL with the form data, ensuring credentials are never visible in the browser's address bar.

Comparison of Methods

Following table compares different approaches for hiding credentials from URLs

Method	Security Level	Implementation Complexity	User Experience
POST Method	Good	Low	Standard page reload
Server-Side Handling	Very Good	Medium	Standard page reload
AJAX Requests	Very Good	Medium	No page reload, dynamic feedback
HTTPS + POST	Excellent	Low	Standard page reload

Security Best Practices

When handling credential information, it's essential to prioritize security and protect sensitive data. Here are recommended best practices

Use Secure Connections (HTTPS)

Always ensure that your website uses a secure connection with

Mrudgandha Kulkarni

Updated on: 2026-03-16T21:38:54+05:30

1K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started

Previous Next