ToolSec

๐Ÿ”‘ Passwords & Secrets

What Is HTTP Basic Authentication?

ยท 6 min read ยท Updated June 27, 2026

HTTP Basic Authentication is the oldest and simplest way to put a password in front of a web resource. It's still widely used for internal tools, staging sites and simple API gates โ€” but it comes with one critical caveat you must understand.

How Basic Auth works

When a browser requests a protected resource, the server responds with 401 Unauthorized and a WWW-Authenticate: Basic header. The browser shows a login prompt, then resends the request with an Authorization header: the word Basic followed by the Base64 encoding of username:password. The server decodes it, checks the credentials, and either serves the resource or rejects it.

The big caveat: Base64 is not encryption

Here's the part people miss. The credentials are only Base64-encoded, not encrypted โ€” and Base64 is trivially reversible. Over plain HTTP, anyone who can see the traffic can read the username and password instantly. Basic Auth is only safe over HTTPS, where TLS encrypts the whole request. Never use it without HTTPS. (For why Base64 isn't security, see our Base64 guide.)

A second thing to note: the browser sends those credentials on every request to the protected area, so they're repeatedly exposed if the connection isn't encrypted.

The .htpasswd file

On Apache and nginx, Basic Auth credentials usually live in a .htpasswd file โ€” one username:hash line per user. The password is stored as a hash, not in plain text. Modern setups use bcrypt (Apache's htpasswd -B), which is slow and salted, so a stolen file is hard to crack. Avoid the legacy MD5/crypt schemes htpasswd also supports.

Store the .htpasswd file outside the web root so it can't be downloaded, and point your server config at it.

Setting it up

  • Apache: AuthType Basic, AuthName "Restricted", AuthUserFile /path/.htpasswd, Require valid-user.
  • nginx: auth_basic "Restricted"; and auth_basic_user_file /path/.htpasswd;.

When to use it (and when not to)

Basic Auth is great for low-stakes gates: an internal dashboard, a staging environment, a quick password on a directory, or a simple API behind HTTPS. It's not the right choice for a real multi-user application with sensitive data โ€” there's no session management, no logout, no MFA, and no granular permissions. For that, use a proper authentication system or identity provider.

Try it

Generate a secure bcrypt-hashed .htpasswd line with our .htpasswd generator, and explore the bcrypt hash itself with the bcrypt generator & checker. To understand the encoding step, see what Base64 is.

Frequently asked questions

Is HTTP Basic Authentication secure?

Only over HTTPS. Basic Auth sends credentials Base64-encoded (not encrypted) on every request, so without TLS they're effectively in the clear. Behind HTTPS it's fine for low-stakes gates.

Where are Basic Auth passwords stored?

Usually in a .htpasswd file with one username:hash line per user. Use bcrypt hashing and keep the file outside the web root so it can't be downloaded.

When should I not use Basic Auth?

For real multi-user apps with sensitive data. It has no sessions, logout, MFA or granular permissions. Use a proper authentication system or identity provider instead.

Try the related tools

Related guides