Parse URLs with Authentication (user:pass@host)
Understand how userinfo (username and password) is embedded in URLs. Learn the security implications, when this format is used, and how browsers handle authentication in URLs.
Detailed Explanation
URL Authentication: The Userinfo Component
URLs can embed authentication credentials directly using the format protocol://username:password@hostname. This is known as the userinfo component and is defined in RFC 3986.
Syntax
https://admin:s3cret@api.example.com:8080/dashboard
\_____/ \___/ \____/ \_____________/ \__/ \_________/
| | | | | |
scheme user pass hostname port path
How the URL API Parses It
const url = new URL("https://admin:s3cret@api.example.com:8080/dashboard");
console.log(url.username); // "admin"
console.log(url.password); // "s3cret"
console.log(url.hostname); // "api.example.com"
console.log(url.host); // "api.example.com:8080"
Common Uses
- Database connection strings —
postgres://user:pass@localhost:5432/mydb - FTP access —
ftp://user:pass@ftp.example.com/files/ - Git remote URLs —
https://token@github.com/org/repo.git - Redis/AMQP —
redis://default:password@cache.internal:6379
Security Considerations
- Never put passwords in URLs for web applications — they appear in browser history, server logs, and the HTTP Referer header
- Modern browsers may strip or warn about credentials in HTTP/HTTPS URLs
- Database and service connection strings with embedded credentials should be stored in environment variables, not code
- The
@character in a password must be percent-encoded as%40
Special Characters
Username and password values must be percent-encoded if they contain reserved characters:
| Character | Encoded |
|---|---|
@ |
%40 |
: |
%3A |
/ |
%2F |
# |
%23 |
? |
%3F |
Use Case
Parsing authenticated URLs is common when working with database connection strings, internal API endpoints, and service discovery. DevOps engineers frequently construct and parse connection strings for PostgreSQL, MongoDB, Redis, and RabbitMQ. Understanding userinfo parsing helps catch security issues like accidentally exposing credentials in logs.