basic auth request
Chris Angelico
rosuav at gmail.com
Tue Aug 17 17:18:28 EDT 2021
On Wed, Aug 18, 2021 at 7:15 AM Barry <barry at barrys-emacs.org> wrote:
>
>
>
> > On 17 Aug 2021, at 19:25, Chris Angelico <rosuav at gmail.com> wrote:
> >
> > On Wed, Aug 18, 2021 at 4:16 AM Barry Scott <barry at barrys-emacs.org> wrote:
> >> Oh and if you have the freedom avoid Basic Auth as its not secure at all.
> >>
> >
> > That's usually irrelevant, since the alternative is most likely to be
> > form fill-out, which is exactly as secure. If you're serving over
> > HTTPS, the page is encrypted, and that includes the headers; if you're
> > not, then it's not encrypted, and that includes the form body.
>
> There is digest and Ntlm that do not reveal the password.
>
And they require that the password be stored decryptably on the
server, which is a different vulnerability. It's all a matter of which
threat is more serious to you. Fundamentally, basic auth is no better
or worse than any of the other forms - it's just different.
ChrisA
More information about the Python-list
mailing list