---
title: Authentication route uses Basic Auth without HTTPS
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Authentication route uses Basic Auth
  without HTTPS
---

# Authentication route uses Basic Auth without HTTPS
 
## Description{% #description %}

The API endpoint accepts [Basic Access Authentication](https://datatracker.ietf.org/doc/html/rfc7617) over **unencrypted HTTP**. Credentials are sent with only base64 encoding, which is trivially reversible, and the entire request—including the `Authorization` header—can be read or modified by anyone on the network path.

Combining Basic Auth with HTTP removes transport protection entirely: passwords are exposed in cleartext to passive eavesdropping, not only to active TLS termination attacks.

## Rationale{% #rationale %}

This finding matches publicly reachable endpoints where Datadog detected Basic Auth as the [authentication mechanism](https://docs.datadoghq.com/security/application_security/api-inventory.md#endpoint-authentication), traffic uses `@http.scheme:http`, and stronger schemes (Bearer, JWT, generic `Authorization` flows) are not the primary signal.

## Remediation{% #remediation %}

- **Enforce HTTPS** for every route that handles credentials. Redirect HTTP to HTTPS, use HSTS, and ensure TLS is configured correctly.
- **Replace Basic Auth** with a modern pattern where practical: token-based access and refresh tokens ([RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)), or mutual TLS for service-to-service calls.

### References{% #references %}

| Reference                                                                                                                                | Description                                                       |
| ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| [OWASP - Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)                     | Best practices for authentication design and credential handling. |
| [OWASP - Transport Layer Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html) | TLS deployment and HSTS guidance.                                 |