HTTP Authentication HTTP Basic Authentication


HTTP Basic Authentication provides a straightforward mechanism for authentication. Credentials are sent in plain text, and so is insecure by default. Successful authentication proceeds as follows.

The client requests a page for which access is restricted:

GET /secret

The server responds with status code 401 Unauthorized and requests the client to authenticate:

401 Unauthorized
WWW-Authenticate: Basic realm="Secret Page"

The client sends the Authorization header. The credentials are username:password base64 encoded:

GET /secret
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

The server accepts the credentials and responds with the page content:

HTTP/1.1 200 OK