Basic authentication, or basic access authentication, is a mechanism used to restrict or provide access to specific resources in the server. In a web application, the resources are often web pages, but this mechanism can be used to secure RESTful web services, as well. However, this approach is not common; a different mechanism, based on tokens, is preferred.

When a website is secured using basic authentication, the users need to provide their credentials before requesting the website's pages. The user credentials are merely a simple combination of a username and password that is encoded using a Base64 algorithm, to calculate the value that should be in the Authentication header. This will be used by the server later, to validate whether the user is authenticated and authorized to access the requested resource. If the user is authenticated, this means that the provided username and password combination is valid; being authorized means that the authenticated user has permission to execute specific actions or View individual pages.

One problem with using this authentication mechanism is that when the user sends the credentials to the server during the authentication process, the credentials are sent in plain text. If the request is then intercepted, the credentials are exposed. The following screenshot makes this problem evident; in this case, the request was intercepted using a tool called Wireshark (https://www.wireshark.org):

This issue can be solved easily using a secure version of HTTP, in which a certificate is necessary for encrypting the data that is exchanged between the server and the browser. The certificate should be issued by a trusted Certificate Authority (CA) and should be located in the server. Browsers have a list of trusted CA root certificates that are validated when a secured connection is established. Once the certificate is validated, the address bar shows a padlock, as shown in the following screenshot:

As you can see in the following screenshot, the HTTPS protocol uses the 8443 port instead of the standard 80, which is intended for HTTP:

 

For development purposes, you can generate your own certificates, but the browser will show you a warning indicating that the certificate could not be validated; you can add an exception to open the requested pages using HTTPS.

The following diagram shows how a connection is established using the HTTPS protocol:

The padlock located in the middle represents the encrypted data when it is going through the computer network, which makes it impossible to read. The following screenshot shows how the data looks when it is intercepted using Wireshark:

As you can see, this intercepted data is hard to understand. In this way, all of the information sent is protected, and, even if it is captured in transit, it can't be easily read. This attack is known as a man-in-the-middle attack, which is one of the most common types of attack.