Don’t allow autocomplete on register page

This is a potential attack vector which was highlighted by the pen test. Setting autocomplete to `nope` (or any random string) is the most comprehensive way of telling browsers not to autocomplete a form according to: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
2026-02-05 02:42:26 -05:00 · 2016-02-15 13:05:25 +00:00
parent 78fe2b463a
commit 2124821e00
2 changed files with 2 additions and 2 deletions
--- a/app/templates/views/register.html
+++ b/app/templates/views/register.html
@@ -14,7 +14,7 @@ Create an account – GOV.UK Notify

    <p>If you've used GOV.UK Notify before, <a href="{{ url_for('.sign_in') }}">sign in to your account</a>.</p>

-    <form autocomplete="off" action="" method="post">
+    <form method="post" autocomplete="nope">
      {{ textbox(form.name, width='3-4') }}
      {{ textbox(form.email_address, hint="Your email address must end in .gov.uk", width='3-4') }}
      {{ textbox(form.mobile_number, width='3-4') }}
--- a/app/templates/views/signin.html
+++ b/app/templates/views/signin.html
@@ -14,7 +14,7 @@

    <p>If you do not have an account, you can <a href="register">register for one now</a>.</p>

-    <form autocomplete="off" method="post">
+    <form method="post" autocomplete="nope">
      {{ textbox(form.email_address) }}
      {{ textbox(form.password) }}
      {{ page_footer("Continue", secondary_link=url_for('.forgot_password'), secondary_link_text="Forgotten password?") }}