IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [http-basic-auth]

HTTP basic auth is an authentication mechanism used for websites over the HTTP protocol. It is commonly recogniced by a browser password prompt.

21 questions
407
votes
10 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?
Morten
  • 4,223
  • 3
  • 14
  • 7
35
votes
1 answer

Why would image resources loaded from different origins triggering HTTP authentication dialogs be harmful?

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication, it says: A potential security hole that has recently been fixed by browsers is authentication of cross-site images. From Firefox 59 onwards, image resources loaded from…
Rick
  • 1,027
  • 1
  • 8
  • 21
11
votes
3 answers

How to prevent popping up a login dialogue using a malicious hotlinked image and HTTP Basic Auth header?

While using Firefox to browse my forums, I noticed that a malicious user posted an image (via hotlinking, not by uploading to my server) with the extension .png which complies with the forum rules (allowing only .png, .gif, .jpg, .bmp, etc.).…
user3196332
  • 213
  • 1
  • 3
10
votes
1 answer

Is basic HTTP proxy authentication secure?

I have been looking for cloud based proxies, and I notice that it's very common to authenticate to a proxy using basic auth over an unencrypted connection. I don't understand why this is considered acceptable. Is proxy authentication different than…
William Rosenbloom
  • 1,516
  • 2
  • 6
  • 12
9
votes
2 answers

Should http basic auth passwords be stored hashed serverside?

HTTP basic auth sends credentials un-hashed and unencrypted over the wire, relying on TLS for confidentiality in transit. However, should the password be stored hashed using a standard KDF in the backend for comparison on receipt?
Prime
  • 472
  • 6
  • 14
6
votes
2 answers

Firefox not deleting HTTP Basic authentication credentials although being instructed to do so

On one of my web servers, I have set up a password-protected directory using the well-known .htaccess / .htpasswd mechanism. The web server is run by Apache 2.4.10 under Debian jessie, if that matters. The relevant snippet from the virtual host…
Binarus
  • 557
  • 5
  • 16
5
votes
2 answers

What are the advantages of using JWT over Basic Auth with Https?

As per my understanding both JWT and Basic Auth used to store login credentials on client side and avoid sessions for better scalability. I understand with Basic Auth login credentials will be sent along with each request which is a security risk…
Arjun
  • 151
  • 1
  • 3
3
votes
2 answers

sqlmap: Test injection in Basic Authentication?

I have been trying to make sqlmap test the username parameter in a fake login page that uses basic authentication. However I cannot make it test the Authentication header via the asterisk trick: sqlmap --auth-type "BASIC" --auth-cred="*:pass"…
chefarov
  • 154
  • 1
  • 10
2
votes
1 answer

HTTP Basic Auth is enough?

I have WebSVN, Gitlab and phpMyAdmin hosted on my dev server. Now, all of it, I password protect the pages (not their individual login) using HTTP Basic Auth, is this the best practice that I can do?
Leandro Garcia
  • 121
  • 3
1
vote
0 answers

Basic authentication after mTLS?

I work for a software company and I'm currently doing research for an enhancement request. Essentially we have a application client which talks to a rest end point which is authenticated using basic authentication over SSL. A client is requesting…
Errol Neal
  • 11
  • 1
1
vote
1 answer

Basic Auth exposed to ISP/DNS?

Would someone using basic authentication in a URL such as https://username:password@example.com have their credentials be visible to their ISP or DNS?
WorseDoughnut
  • 761
  • 5
  • 18
1
vote
1 answer

What are the security risks of basic authorization in SOAP requests?

What are the security risks of basic authorization in SOAP requests? I know that the username and password are concatenated and sent in Base64 in an HTTP header on every subsequent request, but it is still popular in SOAP WS.
user187205
  • 1,163
  • 3
  • 15
  • 24
1
vote
2 answers

Any downside to using basic authentication over HTTPS in addition to native authentication?

Can basic authentication over HTTPS do any harm on a personal one-user server if used in addition to native authentication provided by individual web applications?
Mihai Nagy
  • 13
  • 1
  • 4
0
votes
0 answers

How to detect web account vulnerability

I know I might take a lot of flack for asking this basic question, but I hope you'll be patient with me. I was looking at a few websites and analyzing the payload when sending a POST request to login. ON GitHub, for example, I can see both username…
Robin Sage
  • 101
  • 2
0
votes
0 answers

Best secure approach with Basic Auth

Due to several customer reasons our product needs to support Basic Auth as primary authentication mechanism with client's service account. We are using Bcrypt to store customer's password in our DB, however Bcrypt (combined with Basic Auth) is quite…
Kucera.Jan.CZ
  • 101
1
2