I run OH3 with http binding and I just noticed that the password to my admin account is visible in code in the http thing editor:
UID: http:url:3b28048915
label: Kostal Inverter Part2
thingTypeUID: http:url
configuration:
authMode: BASIC
ignoreSSLErrors: false
baseURL: http://192.168.178.21/api/dxs.json?dxsEntries=67109378&dxsEntries=67109377&dxsEntries=67109379&dxsEntries=67109634&dxsEntries=67109633&dxsEntries=67109635&dxsEntries=67109890&dxsEntries=67109889&dxsEntries=67109891
refresh: 30
commandMethod: GET
timeout: 3000
bufferSize: 2048
username: admin
password: PasswordRemoved
username and password get added automatically if you activate the checkbox “show advanced” in the thing editor. My http requests don’t require authentication and I always have to manually removed the username and password in the code editor of thing 
Don’t know if this is an issue, but I don’t like that the password is visible in clear text…
Any advice on how to handle this? Just don’t enable “show advanced”?