Community
Participate
Working Groups
We recently perform a security scan against our Hudson instance, from the scan report, we are flagged with an high issue for password management: Insecure Submission. When an user is logging to Hudson, the user password was found in the query string of a GET request or Set-Cookie Header. The recommendation is to ensure that login information is sent with a POST request. Any chance on fixing that in the future version of Hudson?
Can you please give more detail about - Version of Hudson - User directory (realm) setup (Hudson database, LDAP etc) - Authorization scheme I just did a quick check, both login mode Regular form submission and dialog jquery submission both use POST. See attached image (Firbug debug)
Created attachment 252206 [details] Firbug debug showing login submission as POST
The Eclipse Hudson project has been terminated and archived.