An HTTP Authentication scheme is the way an API is set up to challenge the credentials of users who want to interact with it. In HTTP Basic authentication, since the included credentials are base64-encoded (and not encrypted), they can be easily decoded by anyone who intercepts the HTTP request. Therefore, it is crucial to use HTTP Basic Authentication in conjunction with HTTPS to ensure the credentials are transmitted securely. Bearer authentication is a more secure alternative that requires an API to only authenticate users who bear an appropriate access token. The access token (bearer token) in Bearer auth is a cryptic object usually provided by an API after a successful login. Bearer format JWT (JSON Web Token) is the recommended object structure for the access token.
This rule applies at the API Specification level (OAS/Swagger).
Brute Force Attacks: Attackers can attempt to guess usernames and passwords by repeatedly sending authentication requests with different combinations of credentials. Since Basic authentication does not include mechanisms to prevent multiple login attempts, it is susceptible to brute force attacks, especially if weak or easily guessable passwords are used.
