Issue

When inspecting the payload of an XAS request (a request between the Mendix client and runtime), sensitive fields are not encrypted. For example, when a user logs in, the username and password of the user can be found in the XAS request:  

Environment

Studio Pro (all versions)

Cause

Mendix uses a default authentication mechanism where the username and password are sent in the payload to the /xas/ endpoint for validation. This is standard behavior for many web applications. HTTPS already ensures that data is encrypted during transmission. When HTTPS is used, the entire communication between the client and server is encrypted, including the password. This communication is not transmitted in plaintext, which means the password is protected from being intercepted by third parties during transmission.

Solution/Workaround

Using HTTPS is sufficient to secure the transmission of passwords and other sensitive data between the client and the server. An important distinction to note is that when a request is made over HTTPS, the entire communication between the browser and the server is encrypted. This means that no one between the client and the server (i.e. an entity on your network) can see the unencrypted contents.

When inspecting the network requests in the browser’s DevTools (like Chrome DevTools), the data that is shown is decrypted data, because the browser needs to show what it is sending and receiving in clear text for debugging purposes.

Further implementation details fall outside the scope of Mendix Support.

Additional information

Mendix documentation: Request Handlers 

Other documentation: HTTPS