HTTP authentication
The general HTTP authentication framework
RFC 7235 defines the HTTP authentication framework, which can be used by a server to challenge a client request, and by a client to provide authentication information.
The challenge and response flow works like this:
1.The server responds to a client with a 401 (Unauthorized) response status and provides information on how to authorize with a WWW-Authenticate response header containing at least one challenge. 2.A client that wants to authenticate itself with the server can then do so by including an Authorization request header with the credentials. 3.Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header.
WWW-Authenticate and Proxy-Authenticate headers
The WWW-Authenticate and Proxy-Authenticate response headers define the authentication method that should be used to gain access to a resource. They must specify which authentication scheme is used, so that the client that wishes to authorize knows how to provide the credentials.
WWW-Authenticate: <type> realm=<realm>
Proxy-Authenticate: <type> realm=<realm>Authorization and Proxy-Authorization headers
The Authorization and Proxy-Authorization request headers contain the credentials to authenticate a user agent with a (proxy) server.
Authorization: <type> <credentials>
Proxy-Authorization: <type> <credentials>Basic authentication scheme
The “Basic” HTTP authentication scheme is defined in RFC 7617, which transmits credentials as user ID/password pairs, encoded using base64.
Security of basic authentication
As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information.