Back to Linter
Errorsecurity

Basic Auth Without SSL

Why HTTP Basic Authentication requires HTTPS encryption.

What This Rule Checks

This rule detects when HTTP Basic Authentication is enabled without SSL/TLS.

Why It Matters

Basic Auth sends credentials as a Base64-encoded string in every request. Without HTTPS, anyone on the network can decode and read the username and password in plain text.

Bad — Triggers this rule

server {
    listen 80;
    server_name admin.example.com;

    auth_basic "Admin Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Good — Passes this rule

server {
    listen 443 ssl http2;
    server_name admin.example.com;

    ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;

    auth_basic "Admin Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

How to Fix

Enable SSL/TLS before using Basic Auth. In Configen, enable SSL in the SSL/TLS section first, then enable Basic Auth in the Security section.

Related Rules

security-ssl-missingsecurity-ssl-protocols-outdated

Check your config now

Paste your nginx.conf and get instant feedback on 20+ rules.

Open Linter →