WebConfig icon indicating copy to clipboard operation
WebConfig copied to clipboard
verified publisher icon GerLech

Wifi password should not be transmitted to the browser

Open matztam opened this issue 2 years ago • 2 comments

The form contains the currently configured wifi password. However, this should not be transmitted to the browser. Otherwise, it can be read out by third parties if the network is not available and the ESP falls back into AP mode. Therefore, the input field should always be displayed empty and the configuration value should only be changed if the input field has been filled in.

matztam avatar Apr 21 '23 16:04 matztam

It can be read in both AP mode and STA mode.

Anyhow, some kind of password protection for the config page would also be nice thing to have.

pesasa avatar Jul 14 '23 10:07 pesasa

You can change Line 332 in WebConfig.cpp from case INPUTPASSWORD: createSimple(_buf, _description[i].name, _description[i].label, "password", values[i]); to case INPUTPASSWORD: createSimple(_buf, _description[i].name, _description[i].label, "password", "");

This makes it send no stored Password to your Browser and the Field is always Empty on reload. However this is still kinda janky cause the Password is still stored in Clear Text on the ESP and on top transmitted without any Encryption via HTTP.

SushiRemover avatar Feb 07 '24 09:02 SushiRemover