Authentication route uses Basic Auth without HTTPS

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Description

The API endpoint accepts Basic Access Authentication over unencrypted HTTP. Credentials are sent with only base64 encoding, which is trivially reversible, and the entire request—including the Authorization header—can be read or modified by anyone on the network path.

Combining Basic Auth with HTTP removes transport protection entirely: passwords are exposed in cleartext to passive eavesdropping, not only to active TLS termination attacks.

Rationale

This finding matches publicly reachable endpoints where Datadog detected Basic Auth as the authentication mechanism, traffic uses @http.scheme:http, and stronger schemes (Bearer, JWT, generic Authorization flows) are not the primary signal.

Remediation

  • Enforce HTTPS for every route that handles credentials. Redirect HTTP to HTTPS, use HSTS, and ensure TLS is configured correctly.
  • Replace Basic Auth with a modern pattern where practical: token-based access and refresh tokens (RFC 6749), or mutual TLS for service-to-service calls.

References

ReferenceDescription
OWASP - Authentication Cheat SheetBest practices for authentication design and credential handling.
OWASP - Transport Layer Security Cheat SheetTLS deployment and HSTS guidance.