Safely using basic authentication for embedded process UI components
Summary
Safely using basic authentication for embedded process UI componentsContent
I have created an Embedded UI Component for use on an external server. The component simply displays a PCS web form that starts a particular process. I currently have it configured with basic authentication. I send an xhr request with basic authentication (base64 encoded username and password) to the process cloud instance with the deployed process/web form.
The component works however if I inspect the request with dev tools I obviously see the base64 encoded request. In other words, any user that inspects the request will see be able to run an atop() method on the base64 encoding and get a cleartext username and password. This is obviously an issue even if I make the user an invocation user only for that process because someone can log into the process cloud instance with those credentials.