topic Encrypt User Credentials from FormLogin.htm in QlikView https://community.qlik.com/t5/QlikView/Encrypt-User-Credentials-from-FormLogin-htm/m-p/889339#M1329944 <HTML><HEAD></HEAD><BODY><P>Hallo all, </P><P></P><P>I have a customer who has a requirement to encrypt the userid and password from the FormLogin.html page.</P><P>Setup:</P><P>QV11 SR5, DMS is place with HTTPS.</P><P>The QV webserver (IIS) is accessible over the internet in Public DMZ, QVS in Private DMZ.</P><P></P><P>If an URL parameter is used to send login credentials, web browsers may store this information as</P><P>part of the browser's history. If a malicious individual obtains access to the targeted computer in</P><P>which the credentials were saved, it may be possible to recover these saved credentials from the</P><P>browser and use them to gain access to the application and launch further attacks on the system.</P><P>Furthermore, the direct access capability (or handling of the GET method using URL parameters)</P><P>may simplify the ability for a malicious individual to perform “phishing” or cross-site scripting attacks,</P><P>which are designed to gain unauthorized access to the application and/or sensitive information.</P><P>An affected URL may be logged within the user's browser, the web server, and any forward</P><P>or reverse proxy servers between the client and webserver. URLs are also displayed on-screen,</P><P>bookmarked or emailed by users. They may be disclosed to third parties via the Referrer header.</P><P></P><P>Does anyone have any ideas on how to resolve this threat?</P><P></P><P>Much appreciated!</P></BODY></HTML> Mon, 26 Jan 2026 18:19:17 GMT 2026-01-26T18:19:17Z Encrypt User Credentials from FormLogin.htm https://community.qlik.com/t5/QlikView/Encrypt-User-Credentials-from-FormLogin-htm/m-p/889339#M1329944 <HTML><HEAD></HEAD><BODY><P>Hallo all, </P><P></P><P>I have a customer who has a requirement to encrypt the userid and password from the FormLogin.html page.</P><P>Setup:</P><P>QV11 SR5, DMS is place with HTTPS.</P><P>The QV webserver (IIS) is accessible over the internet in Public DMZ, QVS in Private DMZ.</P><P></P><P>If an URL parameter is used to send login credentials, web browsers may store this information as</P><P>part of the browser's history. If a malicious individual obtains access to the targeted computer in</P><P>which the credentials were saved, it may be possible to recover these saved credentials from the</P><P>browser and use them to gain access to the application and launch further attacks on the system.</P><P>Furthermore, the direct access capability (or handling of the GET method using URL parameters)</P><P>may simplify the ability for a malicious individual to perform “phishing” or cross-site scripting attacks,</P><P>which are designed to gain unauthorized access to the application and/or sensitive information.</P><P>An affected URL may be logged within the user's browser, the web server, and any forward</P><P>or reverse proxy servers between the client and webserver. URLs are also displayed on-screen,</P><P>bookmarked or emailed by users. They may be disclosed to third parties via the Referrer header.</P><P></P><P>Does anyone have any ideas on how to resolve this threat?</P><P></P><P>Much appreciated!</P></BODY></HTML> Mon, 26 Jan 2026 18:19:17 GMT https://community.qlik.com/t5/QlikView/Encrypt-User-Credentials-from-FormLogin-htm/m-p/889339#M1329944 2026-01-26T18:19:17Z