Basic authentication only obfuscates usernames and passwords in Base64 encoding, which can be easily recognized and reversed, thus it must not be transmitted over the cleartext HTTP channel. Transmitting sensitive information without using HTTPS makes the data vulnerable to packet sniffing.

Either use a more secure authentication mechanism like digest authentication or federated authentication, or use the HTTPS communication protocol.

The following example shows two ways of using basic authentication. In the 'BAD' case, the credentials are transmitted over HTTP. In the 'GOOD' case, the credentials are transmitted over HTTPS.

SonarSource rule: Basic authentication should not be used.

Acunetix: WEB VULNERABILITIES INDEX - Basic authentication over HTTP.