Apache – force autocomplete=off for password fields

If 3rd party software is installed it is quite likely that the autocomplete attribute for password fields is not set to off. Editing such settings directly in the sourceode is possible most of the time, but it’s not the nicest way and you also run into the problem that everything could be gone again after an update of the software.

A nice workaround is to use the substitute module to accomplish that.

<Location "/">
    AddOutputFilterByType SUBSTITUTE text/html
    Substitute "s|<input type=password|<input type=password autocomplete=off|i"
disable autocomplete for password fields

Suggested Webserver security settings

#Security Settings start
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; pre
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' '

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"

SSLProxyEngine on
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on

#Custom Settings
TraceEnable off
ServerSignature Off
ServerTokens Prod