API Security with Basic Authentication

Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.

For example, to authorize user with username test and password P@sswOrd the client would send, Authorization: Basic dGVzdDpQQHNzd09yZA==

How miniOrange API Gateway protects your API’s with Basic Authentication:

  1. Client Application access API server with Basic Authentication Header.
  2. miniOrange API Gateway read the credentials provided in authorization header and validate the credentials from,

    • Identity Provider database.
    • Active Directory or any LDAP store.
    • External API source.
  3. Once validated, miniOrange forward the request to the API or Resource Server.
  4. Response returned from API server is sent back to the client application.

The Authorization field is constructed as follows:

  • The username and password are combined with a single colon (:). ( This means that the username itself cannot contain a colon )
  • The resulting string is encoded using a Base64 encoding.
  • The authorization method and a space (e.g. “Basic “) is then prepended to the encoded string.
  • e.g. Authorization: Basic dGVzdDpQQHNzd09yZA==

Advantages of using BASIC Authentication:

  • Integration is pretty simple with client applications.
  • The information is retrieved from the server with just one API call, making it faster than other complex authentications.
  • Supported by and compatible with all browsers.

Disadvantages of using BASIC Authentication:

  • Information is sent over the network as a cleartext passwords. The information is encoded with base64 but it does not use any encryption. Any password sent using basic authentication can easily be decoded.
  • Basic authentication is vulnerable to replay attacks. So, OAuth authentication is recommended instead as which provides time based tokens and can have restricted access.


What Security Guidelines we follow to secure your API’s:


Enforce HTTPS / TLS connection:

We provide an option to enforce the use of HTTP over SSL in API requests, which transfer your credentials securely.


Input Parameter Validation to prevent injections:

Validate request parameters on the very first step, before it reaches your API Server. Our strong validation checks blocks the access immediately if input validation fails, which helps to prevent SQL injection and other attacks.

We support the input validation specified by OWASP REST Security guidelines.


Timestamp in Request:

Along with other request parameters, we provide option to add a request timestamp as HTTP custom header in API request. The server will compare the current timestamp to the request timestamp, and only accepts the request if it is within the allowed timeframe (60-300 seconds). This will prevent replay attacks from attackers who are trying to brute force your system without changing this timestamp.


Digitally Sign API requests and responses:

We support API requests and responses in signed manner as a added security.

API call with digitally signed requests make sure that API requests are coming from the trusted partner or client.


Rate Limiting:

We protect your APIs with rate-limiting to mitigate distributed denial-of-service (DDoS) attacks and protecting the backend applications that process the API calls.