RFC 7617 Quiz

HTTP Basic Authentication

🇺🇸 🇯🇵

0 / 0

References (URLs)

RFC 7617: The "Basic" HTTP Authentication Scheme

Goal: understand encoding, challenge flow, and security pitfalls.

Show explanation immediately Show all answers

Q1: Which request header carries Basic credentials

Multiple Choice

A. Authorization B. Authenticate C. Cookie

**Explanation:** **Correct (A):** The client sends credentials in Authorization using the Basic scheme **Options:** - A (correct): Authorization is the request header - B (incorrect): Challenges use WWW-Authenticate in responses - C (incorrect): Cookies are a separate mechanism

Q2: Basic credentials are encoded as

Multiple Choice

A. Hash of username and password B. Encrypted blob using server public key C. Base64 of username colon password

**Explanation:** **Terms:** Base64, colon separator **Correct (C):** It is an encoding, not encryption, so transport security matters **Related:** Base64 is reversible

Q3: Why is Basic authentication unsafe without TLS

Multiple Choice

A. It cannot work over HTTP/2 B. Credentials can be trivially decoded by eavesdroppers C. It forces cookies to be sent cross site

**Explanation:** **Correct (B):** Base64 provides no confidentiality **Options:** - A (incorrect): It works at the HTTP semantics layer - B (correct): TLS is required to protect credentials - C (incorrect): Unrelated

Q4: Which status code commonly triggers a Basic auth challenge

Multiple Choice

A. 401 B. 206 C. 302

**Explanation:** **Terms:** WWW-Authenticate **Correct (A):** The server responds with 401 plus a WWW-Authenticate challenge

Q5: A common operational best practice for Basic auth credentials is

Multiple Choice

A. Put them in URLs for easy debugging B. Log the decoded value for troubleshooting C. Avoid sending them to untrusted origins and avoid logging them

**Explanation:** **Correct (C):** Credentials leak easily through logs and redirects **Related:** Treat Authorization as sensitive and strip it at trust boundaries

Q6: Name the request header that sends credentials for Basic auth (one word)

Short Text

**Explanation:** **Correct:** Authorization