Y
Hacker News
new
|
ask
|
show
|
jobs
by
sjtgraham
3333 days ago
Basic auth is only OK if you don't have :80 open. Clients will send the creds over the clear to :80. It doesn't matter if you reply with a 400, the creds are already compromised at that point.
1 comments
JimDabell
3332 days ago
Even if you don't have :80 open, that doesn't mean there isn't a MITM that would accept the connection instead of you.
link
willstrafach
3332 days ago
As long as
https://
prefix is used, this is not true, MITM cannot downgrade that.
link
beaconstudios
3332 days ago
plus a HSTS header for any type-in traffic.
link