# Bad value X for attribute “href” on element “a”: URL includes credentials.

> Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-x-for-attribute-href-on-element-a-url-includes-credentials
> Attribution: Rocket Validator (https://rocketvalidator.com)
> License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

A URL in an `href` attribute contains a username, password, or both (e.g., `http://user:pass@example.com`), which the W3C validator rejects because embedded credentials in URLs are a security risk.

Browsers have largely deprecated support for credentials in URLs. When a URL like `http://user:password@example.com/page` appears in HTML, the credentials are visible in the page source and can be leaked through referrer headers, proxy logs, or browser history. The [WHATWG URL Standard](https://url.spec.whatwg.org/#concept-url-username) defines username and password as URL components, but the [HTML specification](https://html.spec.whatwg.org/multipage/links.html#attr-hyperlink-href) forbids their use in `href` attributes. Most modern browsers will strip the credentials or show a warning prompt rather than silently authenticate.

Remove the credentials from the URL. If authentication is required, handle it server side (redirects, session tokens, or an authentication flow) rather than embedding secrets in markup.

## HTML examples

### Invalid: URL with embedded credentials

```html
<a href="https://admin:s3cret@example.com/dashboard">Dashboard</a>
```

### Valid: URL without credentials

```html
<a href="https://example.com/dashboard">Dashboard</a>
```