Authentication route uses Basic Auth without HTTPS

Description

This rule identifies when an authentication route uses Basic Auth without HTTPS.

Rationale

Basic Auth sends the credentials of every request. Without HTTPS, those credentials are sent in cleartext, exposing the user credentials to potential interception.

Remediation

  • Enforce HTTPS (HSTS)
  • Migrate to a stronger auth scheme