Basic
E748454
Basic is a simple HTTP authentication scheme defined in RFC 2617 that transmits user credentials encoded in Base64, typically over a secure transport like HTTPS.
Statements (46)
| Predicate | Object |
|---|---|
| instanceOf | HTTP authentication scheme ⓘ |
| authenticationScope | per-connection and per-URI path ⓘ |
| authenticationType | challenge-response ⓘ |
| category | web authentication ⓘ |
| challengeHeaderFieldName | WWW-Authenticate ⓘ |
| clientBehavior | sends Authorization header with each protected request ⓘ |
| compatibleWith |
HTTP/1.0
ⓘ
HTTP/1.1 ⓘ |
| credentialEncoding | Base64-encoded UTF-8 string ⓘ |
| credentialFormat | username:password ⓘ |
| credentialReuse | clients may reuse credentials for same realm ⓘ |
| definedIn |
RFC 2617
NERFINISHED
ⓘ
RFC 7617 NERFINISHED ⓘ |
| discouragedFor | high-security applications without TLS ⓘ |
| doesNotProvide |
integrity protection
ⓘ
mutual authentication ⓘ replay protection ⓘ |
| encodingProperty | Base64 is an encoding not encryption ⓘ |
| headerFieldName | Authorization ⓘ |
| headerUsed | Authorization header ⓘ |
| introducedIn | HTTP/1.0 era ⓘ |
| passwordStorageRecommendation | store password equivalents such as salted hashes ⓘ |
| passwordStorageRequirement | servers should not store plaintext passwords ⓘ |
| realmUsage | identifies the protection space ⓘ |
| relatedTo |
Bearer authentication
ⓘ
Digest access authentication ⓘ |
| responseHeaderUsed | WWW-Authenticate header ⓘ |
| risk | credentials can be easily decoded from Base64 ⓘ |
| schemeNameInHeader | Basic ⓘ |
| securityBestPractice | combine with HTTPS and strong password policies ⓘ |
| securityRecommendation | use only over secure transport such as HTTPS ⓘ |
| serverBehavior | challenges with WWW-Authenticate: Basic realm="..." ⓘ |
| standardizedBy |
Internet Engineering Task Force
ⓘ
surface form:
IETF
|
| statusCodeUsedForChallenge | 401 Unauthorized ⓘ |
| supports | per-request authentication ⓘ |
| transmissionSecurityProperty | credentials are not encrypted by the scheme itself ⓘ |
| transmits |
user credentials
ⓘ
username and password ⓘ |
| typicallyUsedOver |
HTTPS
GENERATED
ⓘ
TLS GENERATED ⓘ |
| useCase | simple, low-security authentication scenarios ⓘ |
| usedFor | authenticating HTTP clients to servers ⓘ |
| usesEncoding | Base64 NERFINISHED ⓘ |
| vulnerability | susceptible to credential interception over unencrypted HTTP ⓘ |
| widelyImplementedBy |
HTTP client libraries
ⓘ
web browsers ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.