๐ Passwords & Secrets
What Is HTTP Basic Authentication?
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 HTTP Basic Authentication is the oldest and simplest way to put a password in front of a web resource. It's still widely used for internal tools, staging sites and simple API gates โ but it comes with one critical caveat you must understand.
How Basic Auth works
When a browser requests a protected resource, the server responds with
401 Unauthorized and a WWW-Authenticate: Basic header. The
browser shows a login prompt, then resends the request with an
Authorization header: the word Basic followed by the
Base64 encoding of
username:password. The server decodes it, checks the credentials, and either
serves the resource or rejects it.
The big caveat: Base64 is not encryption
Here's the part people miss. The credentials are only Base64-encoded, not encrypted โ and Base64 is trivially reversible. Over plain HTTP, anyone who can see the traffic can read the username and password instantly. Basic Auth is only safe over HTTPS, where TLS encrypts the whole request. Never use it without HTTPS. (For why Base64 isn't security, see our Base64 guide.)
A second thing to note: the browser sends those credentials on every request to the protected area, so they're repeatedly exposed if the connection isn't encrypted.
The .htpasswd file
On Apache and nginx, Basic Auth credentials usually live in a .htpasswd
file โ one username:hash line per user. The password is stored as a hash,
not in plain text. Modern setups use bcrypt (Apache's
htpasswd -B), which is slow and salted, so a stolen file is hard to crack.
Avoid the legacy MD5/crypt schemes htpasswd also supports.
Store the .htpasswd file outside the web root so it can't
be downloaded, and point your server config at it.
Setting it up
- Apache:
AuthType Basic,AuthName "Restricted",AuthUserFile /path/.htpasswd,Require valid-user. - nginx:
auth_basic "Restricted";andauth_basic_user_file /path/.htpasswd;.
When to use it (and when not to)
Basic Auth is great for low-stakes gates: an internal dashboard, a staging environment, a quick password on a directory, or a simple API behind HTTPS. It's not the right choice for a real multi-user application with sensitive data โ there's no session management, no logout, no MFA, and no granular permissions. For that, use a proper authentication system or identity provider.
Try it
Generate a secure bcrypt-hashed .htpasswd line with our
.htpasswd generator, and explore the bcrypt hash
itself with the bcrypt generator & checker. To
understand the encoding step, see what Base64
is.
Frequently asked questions
Is HTTP Basic Authentication secure?
Only over HTTPS. Basic Auth sends credentials Base64-encoded (not encrypted) on every request, so without TLS they're effectively in the clear. Behind HTTPS it's fine for low-stakes gates.
Where are Basic Auth passwords stored?
Usually in a .htpasswd file with one username:hash line per user. Use bcrypt hashing and keep the file outside the web root so it can't be downloaded.
When should I not use Basic Auth?
For real multi-user apps with sensitive data. It has no sessions, logout, MFA or granular permissions. Use a proper authentication system or identity provider instead.
Try the related tools
- .htpasswd Generator (bcrypt) Create a secure Apache/nginx basic-auth entry with a bcrypt-hashed password.
- Bcrypt Hash Generator & Checker Hash a password with bcrypt at an adjustable cost factor, or verify a password against a hash.
- Base64 Encode / Decode Convert text to Base64 and back, with full Unicode (UTF-8) support.
Related guides
- What Is Base64 Encoding? (And Why It's Not Encryption) Base64 turns binary data into safe text โ but it is not encryption. Here's how it works, why it grows your data by a third, and when to reach for it.
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast โ which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong โ entropy, length, uniqueness โ and the simple system that beats memorising rules.