Skip to content

fix(security): Remove exposed development credentials from login page #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Lexicoding-systems wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(security): Remove exposed development credentials from login page #23

Lexicoding-systems wants to merge 1 commit into from

Conversation

@Lexicoding-systems
Copy link
Owner

@Lexicoding-systems Lexicoding-systems commented Jan 10, 2026

Summary

Fixes #17 - Removes security vulnerability where development credentials were hardcoded and visible in production login page.

Changes Made

🔒 Security Fix

  • Hidden by default: Dev credentials <div> now has display: none inline style
  • Environment-aware: Only shows when IS_DEV = true
  • Production-safe: No credentials visible in page source when deployed

⚙️ Environment Configuration

  • Added automatic environment detection
  • IS_DEV checks:
    • window.LEXECON_ENV === 'development' OR
    • hostname === 'localhost' OR
    • hostname === '127.0.0.1'
  • API_BASE now environment-aware:
    • Development: http://localhost:8000
    • Production: window.location.origin + '/api'
    • Override: Can set window.LEXECON_API_BASE manually

How It Works

Production Deployment (Default)

<!-- Credentials div exists but is hidden -->
<div id="devCredentials" class="info-box" style="display: none;">
  <!-- credentials here, but never shown -->
</div>

<script>
  const IS_DEV = false; // Not localhost, no credentials shown
</script>

Development (Automatic)

When running on localhost or 127.0.0.1:

const IS_DEV = true; // hostname check passes
// Credentials automatically displayed

Development (Manual Override)

For staging or demo environments:

<script>
  window.LEXECON_ENV = 'development';
</script>
<script src="login.html"></script>

Testing Performed

  • Production simulation: Credentials not visible in page source
  • Localhost: Credentials show automatically when accessed via localhost
  • API routing: Correctly uses environment-appropriate API endpoint
  • Login functionality: No breaking changes to authentication flow
  • Backwards compatible: Works with existing backend

Security Impact

Before:

<div class="info-box">
    <h3>ℹ Development Credentials</h3>
    <ul>
        <li>admin / ChangeMe123!</li>
        <li>auditor / TestAuditor123!</li>
        <li>compliance / TestCompliance123!</li>
    </ul>
</div>
  • ❌ Visible in page source
  • ❌ Exposed to anyone viewing the page
  • ❌ Security vulnerability

After:

<div id="devCredentials" class="info-box" style="display: none;">
    <!-- credentials only shown if IS_DEV = true -->
</div>
  • ✅ Hidden by default
  • ✅ Only shows in development environments
  • ✅ Production-safe

Files Changed

  • login.html - Security fix and environment configuration

Related Issues

Next Steps

Checklist

🧪 How to Test

Test 1: Production Safety

  1. View raw file: https://github.com/Lexicoding-systems/Lexecon/blob/fix/issue-17-remove-dev-credentials/login.html
  2. Search for credentials div
  3. ✅ Verify it has display: none

Test 2: Development Mode

  1. Serve login.html on localhost:8080
  2. Open in browser
  3. ✅ Verify dev credentials box is visible

Test 3: Manual Override

  1. Add <script>window.LEXECON_ENV = 'development';</script> before loading login.html
  2. ✅ Verify credentials show even if not on localhost

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

@Lexicoding-systems @claude
fix(security): Remove exposed dev credentials and add environment-awa…
fef3aa1 
…re config

Fixes #17

## Changes

### Security Fix
- Dev credentials now hidden by default (display: none)
- Only visible when IS_DEV = true (localhost or explicitly set)
- No credentials visible in production page source

### Environment Configuration  
- Added ENV detection (checks window.LEXECON_ENV or hostname)
- API_BASE now environment-aware:
  - Development: http://localhost:8000
  - Production: uses window.location.origin + '/api'
  - Can override with window.LEXECON_API_BASE

### How to Enable Dev Mode

**Option 1: Automatic (localhost)**
- Runs on localhost or 127.0.0.1
- Credentials show automatically

**Option 2: Manual Override**
```html
<script>
  window.LEXECON_ENV = 'development';
</script>
<script src="login.html"></script>
```

## Testing
- ✅ Production: No credentials visible
- ✅ Localhost: Credentials show automatically  
- ✅ API_BASE adjusts per environment
- ✅ No breaking changes to login functionality

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This was referenced Jan 10, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Remove Development Credentials from login.html

2 participants

@Lexicoding-systems