Apache – force autocomplete=off for password fields

If 3rd party software is installed it is quite likely that the autocomplete attribute for password fields is not set to off. Editing such settings directly in the sourceode is possible most of the time, but it’s not the nicest way and you also run into the problem that everything could be gone again after an update of the software.

A nice workaround is to use the substitute module to accomplish that.

<Location "/">
    AddOutputFilterByType SUBSTITUTE text/html
    Substitute "s|<input type=password|<input type=password autocomplete=off|i"
</Location>
disable autocomplete for password fields

Suggested Webserver security settings


#Security Settings start
#https://securityheaders.io/?q=blog.fawcs.info&hide=on&followRedirects=on
#HSTS-enabled
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; pre
#Content-Security-Policy
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' '
#Public-Key-Pins


#X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
#X-XSS-Protection
Header always set X-Xss-Protection "1; mode=block"
#X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

SSLProxyEngine on
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+S !3DES !MD5 !EXP !PSK !SRP !DSS"

#Custom Settings
TraceEnable off
ServerSignature Off
ServerTokens Prod