HTTP authentication - HTTP | MDN

archived 23 Jan 2018 14:50:25 UTC
HTTP provides a general framework for access control and authentication. The most common HTTP authentication scheme is the "Basic" authentication. This page introduces the general HTTP auth framework and shows how to restrict access to your server with HTTP Basic authentication.

The general HTTP authentication framework

RFC 7235 defines the HTTP authentication framework which can be used by a server to challenge a client request and by a client to provide authentication information. The challenge and response flow works like this: The server responds to a client with a 401 (Unauthorized) response status and provides information on how to authorize with a WWW-Authenticate response header containing at least one challenge. A client that wants to authenticate itself with a server can then do so by including an Authorization request header field with the credentials. Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header.
In the case of a "Basic" authentication like shown in the figure, the exchange must happen over an HTTPS (TLS) connection to be secure.

Proxy authentication

The same challenge and response mechanism can be used for proxy authentication. In this case, it is an intermediate proxy that requires authentication. As both resource authentication and proxy authentication can coexist, a different set of headers and status codes is needed. In the case of proxies, the challenging status code is 407 (Proxy Authentication Required), the Proxy-Authenticate response header contains at least one challenge applicable to the proxy, and the Proxy-Authorization request header is used for providing the credentials to the proxy server.

Access forbidden

If a (proxy) server receives valid credentials that are not adequate to gain access for a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user.

WWW-Authenticate and Proxy-Authenticate headers

The WWW-Authenticate and Proxy-Authenticate response headers define the authentication method that should be used to gain access to a resource. They need to specify which authentication scheme is used, so that the client that wishes to authorize knows how to provide the credentials. The syntax for these headers is the following:
WWW-Authenticate: <type> realm=<realm>
Proxy-Authenticate: <type> realm=<realm>
Here, <type> is the authentication scheme ("Basic" is the most common scheme and introduced below). The realm is used to describe the protected area or to indicate the scope of protection. This could be a message like "Access to the staging site" or similar, so that the user knows to which space they are trying to get access to.

Authorization and Proxy-Authorization headers

The Authorization and Proxy-Authorization request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the type is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used.
Authorization: <type> <credentials>
Proxy-Authorization: <type> <credentials>

Authentication schemes

The general HTTP authentication framework is used by several authentication schemes. Schemes can differ in security strength and in their availability in client or server software.
The most common authentication scheme is the "Basic" authentication scheme which is introduced in more details below. IANA maintains a list of authentication schemes, but there are other schemes offered by host services, such as Amazon AWS. Common authentication schemes include:

Basic authentication scheme

The "Basic" HTTP authentication scheme is defined in RFC 7617, which transmits credentials as user ID/password pairs, encoded using base64.

Security of basic authentication

As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS / TLS should be used in conjunction with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information.

Restricting access with Apache and basic authentication

To password-protect a directory on an Apache server, you will need a .htaccess and a .htpasswd file.
The .htaccess file typically looks like this:
AuthType Basic
AuthName "Access to the staging site"
AuthUserFile /path/to/.htpasswd
Require valid-user
The .htaccess file references a .htpasswd file in which each line contains of a username and a password separated by a colon (":"). You can not see the actual passwords as they are encrypted (md5 in this case). Note that you can name your .htpasswd file differently if you like, but keep in mind this file shouldn't be accessible to anyone. (Apache is usually configured to prevent access to .ht* files).
aladdin:$apr1$ZjTqBB3f$IF9gdYAGlMrs2fuINjHsz.
user2:$apr1$O04r.y2H$/vEkesPhVInBByJUkXitA/

Restricting access with nginx and basic authentication

For nginx, you will need to specify a location that you are going to protect and the auth_basic directive that provides the name to the password-protected area. The auth_basic_user_file directive then points to a .htpasswd file containing the encrypted user credentials, just like in the Apache example above.
location /status {                                       
    auth_basic           "Access to the staging site";
    auth_basic_user_file /etc/apache2/.htpasswd;
}

Access using credentials in the URL

Many clients also let you avoid the login prompt by using an encoded URL containing the username and the password like this:
https://username:password@www.example.com/
The use of these URLs is deprecated. In Chrome, the username:password@ part in URLs is even stripped out for security reasons. In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you.".

See also

Document Tags and Contributors

 Contributors to this page: kwwxis, ts9111, scooter-dangle, shadok, granttchart, Tigt, fscholz, teoli
 Last updated by: kwwxis,
Related Topics
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. References:
  17. HTTP headers
    1. Accept
    2. Accept-Charset
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Ranges
    6. Access-Control-Allow-Credentials
    7. Access-Control-Allow-Headers
    8. Access-Control-Allow-Methods
    9. Access-Control-Allow-Origin
    10. Access-Control-Expose-Headers
    11. Access-Control-Max-Age
    12. Access-Control-Request-Headers
    13. Access-Control-Request-Method
    14. Age
    15. Allow
    16. Authorization
    17. Cache-Control
    18. Connection
    19. Content-Disposition
    20. Content-Encoding
    21. Content-Language
    22. Content-Length
    23. Content-Location
    24. Content-Range
    25. Content-Security-Policy
    26. Content-Security-Policy-Report-Only
    27. Content-Type
    28. Cookie
    29. Cookie2
    30. DNT
    31. Date
    32. ETag
    33. Expect
    34. Expect-CT
    35. Expires
    36. Forwarded
    37. From
    38. Host
    39. If-Match
    40. If-Modified-Since
    41. If-None-Match
    42. If-Range
    43. If-Unmodified-Since
    44. Keep-Alive
    45. Large-Allocation
    46. Last-Modified
    47. Location
    48. Origin
    49. Pragma
    50. Proxy-Authenticate
    51. Proxy-Authorization
    52. Public-Key-Pins
    53. Public-Key-Pins-Report-Only
    54. Range
    55. Referer
    56. Referrer-Policy
    57. Retry-After
    58. Server
    59. Set-Cookie
    60. Set-Cookie2
    61. SourceMap
    62. Strict-Transport-Security
    63. TE
    64. Timing-Allow-Origin
    65. Tk
    66. Trailer
    67. Transfer-Encoding
    68. Upgrade-Insecure-Requests
    69. User-Agent
    70. Vary
    71. Via
    72. WWW-Authenticate
    73. Warning
    74. X-Content-Type-Options
    75. X-DNS-Prefetch-Control
    76. X-Forwarded-For
    77. X-Forwarded-Host
    78. X-Forwarded-Proto
    79. X-Frame-Options
    80. X-XSS-Protection
  18. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST Method
    8. PUT
  19. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 200 OK
    4. 201 Created
    5. 202 Accepted
    6. 203 Non-Authoritative Information
    7. 204 No Content
    8. 205 Reset Content
    9. 206 Partial Content
    10. 300 Multiple Choices
    11. 301 Moved Permanently
    12. 302 Found
    13. 303 See Other
    14. 304 Not Modified
    15. 307 Temporary Redirect
    16. 308 Permanent Redirect
    17. 400 Bad Request
    18. 401 Unauthorized
    19. 403 Forbidden
    20. 404 Not Found
    21. 405 Method Not Allowed
    22. 406 Not Acceptable
    23. 407 Proxy Authentication Required
    24. 408 Request Timeout
    25. 409 Conflict
    26. 410 Gone
    27. 411 Length Required
    28. 412 Precondition Failed
    29. 413 Payload Too Large
    30. 414 URI Too Long
    31. 415 Unsupported Media Type
    32. 416 Range Not Satisfiable
    33. 417 Expectation Failed
    34. 426 Upgrade Required
    35. 428 Precondition Required
    36. 429 Too Many Requests
    37. 431 Request Header Fields Too Large
    38. 451 Unavailable For Legal Reasons
    39. 500 Internal Server Error
    40. 501 Not Implemented
    41. 502 Bad Gateway
    42. 503 Service Unavailable
    43. 504 Gateway Timeout
    44. 505 HTTP Version Not Supported
    45. 511 Network Authentication Required
  20. CSP directives
    1. CSP: base-uri
    2. CSP: block-all-mixed-content
    3. CSP: child-src
    4. CSP: connect-src
    5. CSP: default-src
    6. CSP: font-src
    7. CSP: form-action
    8. CSP: frame-ancestors
    9. CSP: frame-src
    10. CSP: img-src
    11. CSP: manifest-src
    12. CSP: media-src
    13. CSP: object-src
    14. CSP: plugin-types
    15. CSP: referrer
    16. CSP: report-uri
    17. CSP: require-sri-for
    18. CSP: sandbox
    19. CSP: script-src
    20. CSP: style-src
    21. CSP: upgrade-insecure-requests
    22. CSP: worker-src

Thanks! Please check your inbox to confirm your subscription.

If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an email from us.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%