Bad value X for attribute “href” on element “a”: URL includes credentials.

A URL in an href attribute contains a username, password, or both (e.g., http://user:pass@example.com), which the W3C validator rejects because embedded credentials in URLs are a security risk.

Browsers have largely deprecated support for credentials in URLs. When a URL like http://user:password@example.com/page appears in HTML, the credentials are visible in the page source and can be leaked through referrer headers, proxy logs, or browser history. The WHATWG URL Standard defines username and password as URL components, but the HTML specification forbids their use in href attributes. Most modern browsers will strip the credentials or show a warning prompt rather than silently authenticate.

Remove the credentials from the URL. If authentication is required, handle it server side (redirects, session tokens, or an authentication flow) rather than embedding secrets in markup.

HTML examples

Invalid: URL with embedded credentials

<a href="https://admin:s3cret@example.com/dashboard">Dashboard</a>

Valid: URL without credentials

<a href="https://example.com/dashboard">Dashboard</a>

Learn more:

MDN Reference

HTML anchor element - href attribute

→

MDN Reference

What is a URL?

→

WHATWG Spec

HTML spec - Links

→