Turn off autocomplete for credit card input
Memo to web developers building sites that accept credit card numbers:
Always, always set
autocomplete="off" in the
input tag. For example:
<input type="text" name="cc" autocomplete="off" />
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.
The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.
I have been mentioning this to people a few years, but I just realized that I have never blogged about it.
Like this? Follow me ↯Tweet Follow @pfreitag
Turn off autocomplete for credit card input was first published on October 07, 2005.
If you like reading about html, security, form, autocomplete, or credit cards then you might also like:
Want Security Advisories via Email?
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).