What is the best practice for sending password from frontend to API server?

Question

I am implementing a web application composed by a Javascript front end (single page application if you prefer), and a Rails backend.

The front end app make request through API to the server, I want to know what is the best practice for sending the password on the login or the password reset.

Should I send the clear password, or should I send the hash?

I think that both of two solutions have their drawbacks:

if I hash the password with JS, the user will have the code in his browser and can understand how I secure the password.

If I keep it clear, beh, it is just clear and so it can be intercepted.

Answer 1

As long as you're using HTTPS then their password cannot be intercepted. Well.... it probably won't be intercepted. But the tactics that they would have to use in order to capture that password are somewhat out of your control. The user will have to be sure that they are actually connected to your site.

I suggest reading this answer as well.

He goes over what it would take in order to intercept HTTPS communication. Your responsibility would be to make sure that your site only serves over HTTPS and that you have a completely valid certificate.