mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-06-30 11:35:22 +02:00
8b6481501e
Auth forms (login, register, 2FA, backup-code, reset-password) had no method attribute, defaulting to GET. react-hook-form's handleSubmit preventDefault()s only after hydration; submitting in the pre-hydration or no-JS window triggers a native GET to the current URL, leaking email/password into the URL, history, access logs and Referer header. Setting method="post" makes the native fallback a POST so credentials go in the request body instead. Normal JS submit path is unchanged. Verified in a browser: GET (?email&password) -> POST (clean URL). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>