Proposal: set autoFillAndSend to false by default #259
Description
Expected Behavior
Currently, HTTP autoFillAndSend is set to true by default. HTTP Basic Auth is very insecure, and most users should probably not be autofilling HTTP credentials.
Current Behavior
With autoFillAndSend enabled by default, users are vulnerable to a number of problems by default, including:
- Sending passwords in base64 encoding (which can be easily converted to plaintext).
- Sending passwords repeatedly, for each request (larger attack window).
- Password caching in the browser, at a minimum for the length of the process (CSRF attacks).
While there are certainly situations where a user could want to enable this option, it is much more secure to new users to disable this option by default.
Possible Solution
Set the default to false