Authentication Security Best Practices
http-token-cleartext
general > http-token-cleartext
Guidance
Your API accepts credentials sent in cleartext over an unencrypted channel. Attackers can easily intercept
API calls and retrieve the unencrypted tokens. They can then use the tokens to make other API calls.
For a secure alternative HTTP authentication method, use a method included in the IANA Authentication Scheme Registry.
These schemes aim to address the shortcomings of basic and digest authentication and include the following:
- HTTP Origin-Bound Authentication (HOBA) (RFC 7486)
- Mutual Authentication Protocol for HTTP (RFC 8120)
- Salted Challenge Response HTTP Authentication Mechanism (SCRAM) (RFC 7804)
- SCRAM-SHA-1
- SCRAM-SHA-256
- Voluntary Application Server Identification (VAPID) for Web Push (RFC 8292)
Applies to Operation