Wednesday, October 16, 2024

Using HTTP Basic Auth in 2022

I create a lot of little side projects and experiments. Sometimes I have an idea that would work best behind a login.

Building an entire login system from scratch can be a significant investment and creates a major barrier to entry. It’s prevented me from building useful tools because they would require a login.

But in 2022 I won’t let that stop me.

More than ten years ago I created a little experimental tool at work. We had a database of users but we didn’t have any type of API for our login system. If I built something that wasn’t part of the monolith, it wouldn’t integrate with the system. I decided to try HTTP Basic Auth. It worked, and that little experiment slowly expanded to dozens of other tools and became a major internal admin system. I’m not involved on the teams that use those tools anymore but my little auth module is still being used because Basic Auth has been good enough.

There are some very minor downsides, but if a project does well enough, I can always build a better login system later.

It would probably be strait-forward to implement a third party login flow, such as Google, Apple, or Facebook accounts. But, I have privacy and lock-in concerns with using these third-party systems.

What does HTTP Basic Authentication look like in 2022? Here’s a screenshot of the login prompt in the latest version of Google Chrome.

Chrome Basic Auth Screenshot

Some online resources mention that HTTP Basic Authentication is deprecated, but that’s a misunderstanding. Only passing username and password as part of the URL is deprecated. It’s still perfectly valid to pass the credentials in the HTTP header and that’s what I’ll be doing. This method works in every modern browser.

Recommended:  CommonSpirit says 623K patients are affected by the data compromise

As an additional aside, modern browsers still support credentials in the URL, even though the practice is deprecated. To prevent certain fishing attacks, they hide those credentials from the user in various ways, but it tends to work anyway. I wouldn’t personally use credentials in the URL though; who knows how long browsers will continue to support that.

Because Basic Authentication sends the username and password with each HTTP request, it’s insecure unless the credentials are served over an encrypted HTTPS connection. These days HTTPS is the norm for many of our projects, but it’s something you need to be aware of. You don’t want to use this over a regular HTTP connection because anyone on the same network can see the unencrypted values. Because HTTPS requests are encrypted, this isn’t a problem over HTTPS.

I’ve created a template for a simple application that implements HTTP Basic Authentication in Go.

source

Bookmark
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security