Should a Basic authentication request be POST or GET?

Question

I have seen Basic authentication being done in both GET and POST requests.

On the one hand, I suppose browser caching GET requests could be an issue, but on the other: POST is larger but encouraged for delivering sensitive information.

I am not asking the difference between GET and POST requests, but which one should be used for Basic authentication. Should GET be used only with HTTPS? Should POST be used always?

My question is which one should be used? Which one is a better practice?

Answer 1

Should GET be used only with HTTPS? Should POST be used always?

HTTPS must be used regardless the HTTP method when sending/requesting sensitive information over the wire. HTTPS ensures that both body and headers are encrypted.

Bear in mind that sensitive information (such as passwords and payment card numbers) must never ever be sent in the URL: The requested URL may be logged by servers and proxies; If the URL is requested by a browser, the URL goes to the browser history. And then you have a security breach.

Which one should be used for Basic authentication?

The Basic authentication scheme is not tied to any particular HTTP method. Each HTTP method have their own semantics, so you may need different methods to design your API. And each of those methods may perform operations that require authentication and/or authorization.

The HTTP authentication framework, described in the RFC 7235, defines that credentials should be sent in the Authorization header, so they can be applied to any HTTP(S) request.

It's also important to highlight that authentication schemes, such as Basic, are meant to be applied to protection spaces, often called realms (see my previous answer for details).