Authentication route uses Basic Auth without HTTPS

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

The API endpoint accepts Basic Access Authentication over unencrypted HTTP. Credentials are sent with only base64 encoding, which is trivially reversible, and the entire request—including the Authorization header—can be read or modified by anyone on the network path.

Combining Basic Auth with HTTP removes transport protection entirely: passwords are exposed in cleartext to passive eavesdropping, not only to active TLS termination attacks.

Rationale

This finding matches publicly reachable endpoints where Datadog detected Basic Auth as the authentication mechanism, traffic uses @http.scheme:http, and stronger schemes (Bearer, JWT, generic Authorization flows) are not the primary signal.

Remediation

  • Enforce HTTPS for every route that handles credentials. Redirect HTTP to HTTPS, use HSTS, and ensure TLS is configured correctly.
  • Replace Basic Auth with a modern pattern where practical: token-based access and refresh tokens (RFC 6749), or mutual TLS for service-to-service calls.

References

ReferenceDescription
OWASP - Authentication Cheat SheetBest practices for authentication design and credential handling.
OWASP - Transport Layer Security Cheat SheetTLS deployment and HSTS guidance.