Authentication route uses Basic Auth without HTTPS

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The API endpoint accepts Basic Access Authentication over unencrypted HTTP. Credentials are sent with only base64 encoding, which is trivially reversible, and the entire request—including the Authorization header—can be read or modified by anyone on the network path.

Combining Basic Auth with HTTP removes transport protection entirely: passwords are exposed in cleartext to passive eavesdropping, not only to active TLS termination attacks.

Rationale

This finding matches publicly reachable endpoints where Datadog detected Basic Auth as the authentication mechanism, traffic uses @http.scheme:http, and stronger schemes (Bearer, JWT, generic Authorization flows) are not the primary signal.

Remediation

  • Enforce HTTPS for every route that handles credentials. Redirect HTTP to HTTPS, use HSTS, and ensure TLS is configured correctly.
  • Replace Basic Auth with a modern pattern where practical: token-based access and refresh tokens (RFC 6749), or mutual TLS for service-to-service calls.

References

ReferenceDescription
OWASP - Authentication Cheat SheetBest practices for authentication design and credential handling.
OWASP - Transport Layer Security Cheat SheetTLS deployment and HSTS guidance.