What is Basic Auth? With ExpressJS example
Table of content
- Introduction to Basic Authentication
- Implementing Basic Authentication with Express.js
- Best Practices and Security Considerations
- Conclusion
Best Practices and Security Considerations
Before you start to add basic auth into your application, there are some information you should know before making this decision.
Like always recommended, basic auth needs HTTPS
When using basic auth, the credentials are sent with every request after login. This means that every request is a potential man-in-the-middle attack opportunity to receive the credentials. To prevent this, HTTPS is recommended (HTTPS should be the standard, and unencrypted HTTP should only be used for local development).
Realms should not contain sensitive information
When selecting the name of a realm, it should not contain any information that a user who has no access should be able to see. Even though the realm is not displayed in the login screen, it can still be read in the network information in the developer tools of your browser.
There is no logout function
After logging in with basic auth, the credentials are managed by your browser and are sent with every following request. You don't have the option to log out; how long those data are stored depends on the behavior of your browser. This is something you have to consider when multiple users use the same device. In such cases, an authorized user should be able to log out to prevent an unauthorized user from opening the application.
There is no option to reset the password
A user login form should contain an option to reset the password, in case the user has forgotten it. The application is usually behind the basic auth screen, so it cannot be accessed when not authorized. However, you could create a separate page without basic auth, but in this case, you are possibly limited by your framework or library, which often uses a static list of credentials.
You have to consider brute force attacks
A brute force attack is a script trying out credentials with randomly generated logins or logins from lists (which e.g. contain passwords like "12345678", "admin", or "raspberrypi"). Basic auth works quite quickly, which means that with a script, you can try out passwords very rapidly. Therefore, your credentials should be long and include special characters to protect your page from brute force attacks.