Will It Vibe logoWill It Vibe?
PRIVACY-011Medium severity-8 points

Password form submits to a plaintext http:// action

Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A <form> containing a type="password" input has an action attribute pointing at a literal http:// URL, so the password travels the network unencrypted.

Why it matters

A login or signup form that posts to a plain http:// action sends the password across the network without encryption, so anyone on the same network (coffee-shop Wi-Fi, a corporate proxy, an ISP) can read it in transit. This is a direct, easily exploitable exposure of a live credential, not a theoretical risk, and modern browsers increasingly flag or block exactly this pattern. It usually indicates a leftover development URL or a misconfigured environment variable rather than an intentional choice.

How to fix it

Change the form action to an https:// URL, and if the target host does not support TLS yet, get a certificate before this form ships (a free one from Let's Encrypt is enough). Also check whether the action URL should have been an environment variable that resolved to https in production and only happened to resolve to http here.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Documentation, UX & Accessibility checks