From 1f8866f8652e9030df37a67c7da0947f94ed2419 Mon Sep 17 00:00:00 2001 From: vikyw89 Date: Mon, 22 Jun 2026 15:43:32 +0000 Subject: [PATCH] fix: add method="post" to auth forms to prevent credential leak in URL Auth forms (login, register, 2FA, backup-code, reset-password) had no method attribute, defaulting to GET. react-hook-form's handleSubmit preventDefault()s only after hydration; submitting in the pre-hydration or no-JS window triggers a native GET to the current URL, leaking email/password into the URL, history, access logs and Referer header. Setting method="post" makes the native fallback a POST so credentials go in the request body instead. Normal JS submit path is unchanged. Verified in a browser: GET (?email&password) -> POST (clean URL). Co-Authored-By: Claude Opus 4.8 (1M context) --- apps/dokploy/pages/index.tsx | 8 +++++++- apps/dokploy/pages/register.tsx | 1 + apps/dokploy/pages/reset-password.tsx | 1 + apps/dokploy/pages/send-reset-password.tsx | 1 + 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/apps/dokploy/pages/index.tsx b/apps/dokploy/pages/index.tsx index a9aaf7263f..8e53e46585 100644 --- a/apps/dokploy/pages/index.tsx +++ b/apps/dokploy/pages/index.tsx @@ -182,6 +182,7 @@ export default function Home({ IS_CLOUD, enforceSSO }: Props) { {IS_CLOUD && }
- +
{ )} diff --git a/apps/dokploy/pages/reset-password.tsx b/apps/dokploy/pages/reset-password.tsx index eff2389791..46a6552987 100644 --- a/apps/dokploy/pages/reset-password.tsx +++ b/apps/dokploy/pages/reset-password.tsx @@ -123,6 +123,7 @@ export default function Home({ tokenResetPassword }: Props) { )} diff --git a/apps/dokploy/pages/send-reset-password.tsx b/apps/dokploy/pages/send-reset-password.tsx index 63154d0501..7d3c47d518 100644 --- a/apps/dokploy/pages/send-reset-password.tsx +++ b/apps/dokploy/pages/send-reset-password.tsx @@ -110,6 +110,7 @@ export default function Home() { {!temp.is2FAEnabled ? (