is putting authentication tokens inside HTML body safe?

I have a project, a webapp/website that uses cookies to authenticate users with long randomly generated strings (also with samesite:lax, httponly, secure), however I also have an API which itself needs authentication tokens.

My current design is when the website server authenticates the user it generates the API authToken and injects along with the total initial state of the page and then the API requests are served with this authToken, is this flow inherently flawed? I thought of using an extra HTTP request after page loading to get the API authToken and thus avoid putting it inside the HTML body but that means more slowness since the page contents is usually dependent on the API requests which need an extra HTTP request after the page load to get the API authToken. I assume the connection is already over HTTPS of course.

HTML element: quotation symbols not selectable?

To include a quotation in HTML, one could simply use quotation symbols:

<p>“Yes,” he said.</p> 

Alternatively, one could use the inline quotation element:

<p><q>Yes,</q> he said.</p> 

Using the inline quotation element has some advantages, e.g., it provides additional semantic information to any person or machine reading the HTML code.

However, I noticed something that seems to me like a severe disadvantage of the inline quotation element. In all the browsers I’ve tried, although quotation symbols are rendered, it is not possible to select the quotation symbols. Screenshot of quotation symbols not being selected

In Chrome and Edge, predictably, this means that the quotation symbols are omitted if the user copies and pastes. In Firefox, interestingly, quotation symbols are inserted in the pasted text, even though they do not appear to be selected.

This behavior seems jarring for the user. Is it really the best practice for quotations in HTML? When, if ever, should developers use the inline quotation element?

How many H1 tag, Can we use in One html Page? [duplicate]

This question already has an answer here:

  • Multiple H1 tags in blog, category, tag page? 3 answers

Some years ago, everybody who work in Seo field, Recommended that Use only One H1 tag in page, but I heard We can use as many as necessary H1 tag and it doesn’t make any problem for Seo (Google search engine Optimization). Now my Question is about it. How Many H1 Tag can I use in single webpage without Bad Effect on Seo?

In a sitemap, should I update the lastmod tag of a url based on the text content or html content?

Imagine I have this blogging / ecommerce website with 1000 posts / products. And I’ve built a sitemap for it, which is dynamically generated. Basically it’s a list with a bunch of <url> and <lastmod> tags.

I’m pretty sure that the crawlers expect me to update the <lastmod> dates for whatever product or blogpost that I edit and change the text content (or change the images). Add something new, update information, etc. Basically, anything that users will SEE differently when they enter my page. This makes sense.

But my question is:

I have a dynamic single page website. So I don’t keep static pages. I generate and render them (server-side) at run time. So what if I decide that all of my blogposts now should render inside a <main> or <article> tag instead of a div? Or what if I add some structured meta data to add price and review properties for my products, or to add structured data for breadcrumbs.

You see what I mean? The content that the user sees hasn’t changed. But I’ve updated some tags that the CRAWLER will interpret differently. The text/image content is the same, but the HTML content has changed. And this could even have impact on my ranking, since I’m throwing in new tags that might get me better SEO.

But now what should I do? The changes I made now will render the 1000 posts / products in a different way with the new tags (in the perspective of the crawler). Should I update the <lastmod> tag to ALL of my 1000 urls in my sitemap? The user will still see the same text/image content and will not notice any difference.

If I do update all the 1000 <lastmod> tags, won’t the crawler think that it’s “weird” that now all of my urls have been updated on the same day? Since they’ll all have the same <lastmod> tags. Does it make sense?

Please, any help is appreciated. Thanks

Does the HTML password field include any protection against XHR/AJAX exfiltration?

In HTML when we describe a certain field as a password field is it somehow secured against sending out the data via XHR/AJAX/similar technologies?

This is relevant in case we have to deal with script injection and similar attacks.

According to this question the protection is done on the client-side and only protects against physical viewing of the password, is that correct? It’s hard to tell from the lack of information and it is only a blind assumption.

P.S This question has nothing to do with locally stored passwords in the browser.