On Wed, Aug 18, 2021 at 7:15 AM Barry <ba...@barrys-emacs.org> wrote: > > > > > On 17 Aug 2021, at 19:25, Chris Angelico <ros...@gmail.com> wrote: > > > > On Wed, Aug 18, 2021 at 4:16 AM Barry Scott <ba...@barrys-emacs.org> wrote: > >> Oh and if you have the freedom avoid Basic Auth as its not secure at all. > >> > > > > That's usually irrelevant, since the alternative is most likely to be > > form fill-out, which is exactly as secure. If you're serving over > > HTTPS, the page is encrypted, and that includes the headers; if you're > > not, then it's not encrypted, and that includes the form body. > > There is digest and Ntlm that do not reveal the password. >
And they require that the password be stored decryptably on the server, which is a different vulnerability. It's all a matter of which threat is more serious to you. Fundamentally, basic auth is no better or worse than any of the other forms - it's just different. ChrisA -- https://mail.python.org/mailman/listinfo/python-list