Description

This article describes why plain text login credentials are seen in the browser's developer tools.

Scope

FortiManager, FortiAnalyzer, FortiGate.

Solution

When viewing network requests in the browser’s developer tools, the payload for an authentication request may display the username and password in plain text. Plain text credentials appearing in browser developer tools are expected and standard for any application using HTTPS authentication. The credentials are fully encrypted by TLS before transmission, ensuring secure communication with Fortinet devices.

This is standard practice and not a security risk.

The browser simply collects the credentials entered on the login page and prepares an HTTPS POST request to send them to the server. That is what is shown in the browser developer tools. However, before transmission, the information is encrypted by TLS, ensuring that the data is securely sent over the HTTPS channel. Because TLS operates below the application layer, browser tools cannot show the encrypted form of the payload.

In some cases, the authentication request or its payload may not be seen. This can happen when the 'Preserve log' option in the network tab of browser tools is disabled, causing the request to be cleared automatically after page reloads to a different application. Reason for loading a different application can be when login/auth and main application are different.