How can I hide the FTP cleartext password in my browser's URL line?
To log in to an FTP server by username and password, Apache uses different strategies. In absence of a user name and password in the URL altogether, Apache sends an anonymous login to the FTP server, i.e.,
FileZilla - The free FTP solution for both client and server. Filezilla is open source software distributed free of charge. In the FileZilla Server Options window, in the tree on the left side, select SSL/TLS settings. On the right side, under SSL/TLS settings, check Enable SSL/TLS support. In the Private key file box, enter the location of the key file that you generated when you created the CSR. For example, C: Program Files FileZilla Server your domainname.key.
This works for all popular FTP servers which are configured for anonymous access.
For a personal login with a specific username, you can embed the user name into the URL, like in:
If the FTP server asks for a password when given this username (which it should), then Apache will reply with a
401 (Authorization required) response, which causes the Browser to pop up the username/password dialog. Upon entering the password, the connection attempt is retried, and if successful, the requested resource is presented. The advantage of this procedure is that your browser does not display the password in cleartext (which it would if you had used
in the first place).
Apache Filezilla Tutorial
Filezilla Apache Web Server
The password which is transmitted in such a way is not encrypted on its way. It travels between your browser and the Apache proxy server in a base64-encoded cleartext string, and between the Apache proxy and the FTP server as plaintext. You should therefore think twice before accessing your FTP server via HTTP (or before accessing your personal files via FTP at all!) When using insecure channels, an eavesdropper might intercept your password on its way.