Explain Codes LogoExplain Codes Logo

Is there a valid way to disable autocomplete in a HTML form?

html
autocomplete
security
javascript
Alex KataevbyAlex Kataev·Feb 25, 2025
TLDR

To disable the form autocomplete, apply autocomplete="off" directly to your <input> elements. For more security in fields like passwords, alter the name attribute value each time the form is loaded.

<input type="text" autocomplete="off"> <!-- No autocomplete for you! --> <input type="password" name="pwField_{{randomString}}" autocomplete="off"> <!-- Good Luck remembering this! -->

Beware! Some browsers may ignore this setting in favor of a better user experience.

Striking a balance: security vs standards

Standards such as those defined by the World Wide Web Consortium (W3C) are important, but don't let them handcuff your security efforts. When it comes to sensitive data, it's okay to bend the rules a bit in favor of safety.

Browsers and HTTPS: an implicit benefit

Have you noticed how some browsers automatically disable autocomplete for HTTPS sites? That's not a surefire rule, but it's a lovely bonus!

Scripting autocomplete: JavaScript to the rescue

If you want to ensure the autocomplete attribute is set to 'off' across all browsers, use a bit of JavaScript to dynamically apply the setting on form load.

Field name roulette: randomizing for security

Browsers are smarter than you think. They remember field names to predict what information they'll need next time. Randomize your field names to throw their predictive logic for a loop.

Even amazon does it: successful use cases

Need some inspiration? Look at Amazon. They use autocomplete successfully with their forms. If it's good enough for them, it's certainly worth considering for your site.

The user experience: balancing act in design

Keep in mind, while disabling autocomplete does improve security, it can get in the way of user usability. Striking a balance is key, but when in doubt, go for security.

Important regulations: compliance isn't an option

For certain industries like finance and healthcare, disabling browser autofill isn't just a good idea—it's mandatory!

W3C warnings are like your mother-in-law

Sometimes you just have to nod, smile, and carry on with your plans. In other words, ignore the warnings when they get in the way of a more secure user experience.