English  
CLOSE

Suggested:

HTTP Basic Authentication (Early Web)

HomeLearnSystem Design and Design PatternsAuthentication HTTP Basic Authentication (Early Web)
Updated on 13 Nov, 202510 mins read 14 views

What Is HTTP Basic Authentication?

HTTP Basic Authentication (often called “Basic Auth”) is a built-in feature of the HTTP protocol.

It allows a client (like a browser, Postman, or curl) to send a username and password with each request to verify its identity.

It's basic because:

  • There's no fancy encryption or tokens.
  • It sends the credentials encoded in Base64.
  • The browser and server natively understand how to handle it.

How the Basic Authentication Flow Works

Let's go through the full round trip between the browser (client) and the web server.

Step 1: The client requests a protected resource

HTTP /dashboard HTTP/1.1
Host: example.com

No credentials are sent yet.

Step 2: The server challenges the client

The server responds:

HTTP/1.1 401 unauthorized
WWW-Authentication: Basic realm="User Area"

This tells the browser:

Hey, I need username and password for the User Area.

The realm is just a label describing which part of the site is protected.

Step 3: The client responds the request with credentials

If the user enters a username and password, the browser resends the request:

GET /dashboard HTTP/1.1
Host: example.com
Authorization: Basic dXN1cjpwYXNzd29yZA==

Here:

  • Authorization is the HTTP header.
  • Basic indicates the authentication scheme.
  • The long string is a Base64-encoded version of username:password.

Example:

echo -n "username:password" | base64
# Output: dXN1cjpwYXNzd29yZA==

Step 4: The server verifies the credentials

On the server side:

  1. It reads the Authorization header.
  2. Decodes the Base64 string.
  3. Splits it into username and password.
  4. Compares it against the stored credentials (usually hashed passwords).

If the credentials match -> access granted.

If not -> another 401 unauthorized response is sent.

Understanding the Base64 Part

A common misconception is that Base64 encrypts the credentials.

It does not. It's just a reversible encoding format – like writing in code words.

Example:

user:password -> dXN1cjpwYXNzd29yZA==

Anyone who intercepts this value can decode it back easily.

That's why Basic auth must always be used over HTTPS (TLS) – so the credentials are encrypted by the transport layer.

Advantages

  • Extremely simple to implement on both client and server
  • No session state to manage on the server
  • Built into the HTTP protocol – supported by all browsers and servers
  • No HTML/CSS required – works with any client that understands HTTP

Disadvantages

  • Credentials sent with EVERY request – massive security risk
  • No way to log out without closing the browser
  • UGLY user experience – the browser's native login dialog
  • No customization – can't style the login form or add password reset flows
  • Vulnerable to CSRF (just like cookies)
  • Passwords constantly exposed even over HTTPS
Buy Me A Coffee

Leave a comment

Your email address will not be published. Required fields are marked *

Your experience on this site will be improved by allowing cookies Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.