diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
index 12647be68f7..b7eaa4dfd60 100644
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@@ -28,7 +28,7 @@ from homeassistant.const import (
     HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_EXPIRES,
     HTTP_HEADER_HA_AUTH, HTTP_HEADER_VARY, HTTP_METHOD_NOT_ALLOWED,
     HTTP_NOT_FOUND, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_UNPROCESSABLE_ENTITY,
-    SERVER_PORT)
+    SERVER_PORT, URL_ROOT, URL_API_EVENT_FORWARD)
 
 DOMAIN = "http"
 
@@ -218,6 +218,10 @@ class RequestHandler(SimpleHTTPRequestHandler):
         else:
             self.authenticated = False
 
+        # we really shouldn't need to forward the password from here
+        if url.path not in [URL_ROOT, URL_API_EVENT_FORWARD]:
+            data.pop(DATA_API_PASSWORD, None)
+
         if '_METHOD' in data:
             method = data.pop('_METHOD')