Does any version of Confluence/JIRA no longer use a logon web form with plain-text authentication

We are using https, and it is still getting flagged by Qualys scans.  And incorrect, the autocomplete feature is part of the form:

Contact the vendor to have the AutoComplete attribute disabled for the password field in all forms. The AutoComplete attribute should also be disabled for the user ID field.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

ok - I have determined problem - both http and https are enabled in the configurations for Jira and Confluence.  My next question is the server.xml file seems to have several ports:

Connector debug port of 8090

Server debug port of 8000

Connector port 8443 

Then for JIRA:

server shutdown port 8190

Catalina connector port 8091

Catalina engine connector port 8444

How do I disable all but the 8443/8444 SSL ports?

I maintain that autocomplete is a browser feature. I'm quite sure that taking the measures described in that Mozilla page to disable autocomplete would generate more complaints from users then it would solve.

I know if Atlassian removed the capability for autocomplete I would receive many complaints about it from my user base. If this level of security is really important, your IT organization should use something such as Windows group policy to disable the feature.

You don't want to disable all those ports entirely as the required for the application to function. Perhaps you should use a software firewall on the system itself to block them from remote use.

I agree with Josh here on the "browser feature".  Html does not define it (which does not mean it's wrong, just not standard), but a lot of the more popular browsers try to respect it.

However, it is actually a bad idea.

Some browsers ignore it

Browsers can be configured to ignore it (I regularly do this)

For people who do use browsers that respect it, in real life, you're reducing their security.  If a human has to enter their password every time because they don't have the option to save it somewhere, they will use simple insecure passwords.  If you force complex passwords on them, then they will write them down.  In both cases, they will re-use passwords on different sites.  Without autocomplete, you could easily be asking a human to remember hundreds of "secure" passwords safely.  This simply will not happen,.

The security conscious people use password safes (mine has over 1,000 high-entropy, unique passwords in it, and is protected by 2FA and a high-entropy password itself).  These need to be able to autocomplete to be of any use.

So Atlassian is right.  You really do not want to remove autocomplete.