HTTP URL contains a password input field

This means that the URL in question uses the HTTP protocol, but contains a form with a password input field.

Why is this important?

Sensitive data such as passwords should be transferred using a secure method. Since HTTP URLs are not secured with SSL, the form itself could be compromised before the data gets processed, therefore this is not secure.

What does the Hint check?

This Hint will trigger for any internal HTTP URL which contains a <input type=password> password field.

Examples that trigger this Hint:

This Hint would trigger for any URL if it contained the following in the HTML:

<form>
 User name:<br>
 <input type="text" name="username"><br>
 User password:<br>
 <input type="password" name="psw">
</form>

How do you resolve this issue?

The best approach would be to load the entire site over HTTPS, since there are loads of good reasons to do this.

However, if this is not possible, then you need to remove the form from the HTTPS page, and instead link to a dedicated (HTTPS) page or pop it up in a separate window.

Further reading

• Avoiding the Not Secure Warning in Chrome
• Your login form posts to HTTPS, but you blew it when you loaded it over HTTP
• W3C: Is origin potentially trustworthy?
• Mozilla: No More Passwords over HTTP, Please!
• Google Security Blog: Moving towards a more secure web