Usually http GET query parameters are logged just like the rest of the url in the webserver's access log
go into C:\inetpub\logs\LogFiles\W3SVC1 and fetch the inserted passwords.

The issue for the frontend is here:

The obvious solution would change this to a post request and send the credentials as POST data.
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#setting_a_body

essentially the example could be copied

const response = await fetch("https://example.org/post", {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded",
  },
  // Automatically converted to "username=example&password=password"
  body: new URLSearchParams({ username: "example", password: "password" }),
  // …
});

given that this leaks credentials this issue should be treated as security issue