Skip to content

[Security] API key field in 'Add Access Method' has autocomplete="on" — should be off #414

Description

@saqibmanan

Summary

The API key input in the Add New Access Method dialog is a type="password" field with autocomplete="on". Browser password managers may cache the value keyed to the current URL, and the key could autofill on unintended pages or be stored in browser sync.

Impact

  • API keys cached by browser password managers could be exposed if:
    • The browser account is compromised
    • The autofill triggers on a phishing page at a similar URL
    • The browser sync is enabled and sends keys to cloud storage

Fix Recommendation

Set autocomplete="off" (or autocomplete="new-password") on the API key input field in the Add Access Method dialog:

<input
  type="password"
  name="apiKey"
  autoComplete="new-password"
  ...
/>

Environment

  • URL: https://dev.civicdataspace.in/dashboard/organization/civicdatalab/aimodels/edit/{id}/versions (Add Access Method dialog)
  • Discovered: 2026-06-22 via QA audit
  • Report ref: SEC-004

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions