This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 36%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
I'm new to B2C so excuse me if my question is about something obvious. There is a custom policy that is used for set password after registration. The policy is working fine and updates the password. If the same link is used again in the browser the policy correctly shows an error that the activation link has expired. The problem is that if someone captures the HTTP requests and particularly the POST request that changes the password and sends it again in a tool with a new value for the password field it actually updates the password in B2C. Could you please recommend how to secure this POST step?
Hello @ZS
All B2C calls are by default over HTTPS, which includes the POST call to set or change the password in the B2C directory as well. To modify the body of the POST call, the call needs to be decrypted first.
If you are storing the password in an external database or external system via REST API Technical Profile, you need to make sure that the service URL in that Technical Profile is also configured to use HTTPS and not HTTP.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.