How to force Basic Authentication to run on SSL?

3 posts / 0 new

Topic locked

#1 Sun, 05/26/2013 - 16:38

katir

How to force Basic Authentication to run on SSL?

We continue the process (very tedious) of knocking down so-call vulnerabilities that are flagged by our PCI compliance auditing company.

On some sites we have set Basic Authentication to allow users access to file lists. This is a "failure" from the PCI audit point of view because the user name and password is sent as clear text.

Description: Web Server Uses Basic Authentication Without HTTPS

Synopsis: The remote web server seems to transmit credentials in clear text

How do we force this form of access to run over SSL?

#2 Sun, 05/26/2013 - 19:44

andreychek

Howdy,

Depending on how your HTTP Auth is setup -- you may be able to use a .htaccess file to redirect users to an HTTPS URL.

You could do that with the following:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Or, if your HTTP Auth isn't being setup with a .htaccess, but is being setup within Apache -- it's possible you would need to add the above lines into the VirtualHost block for this domain in the Apache config.

-Eric

#3 Mon, 05/27/2013 - 15:20 (Reply to #2)

katir

These are the webalizer /public_html/stats/ directories that are getting pegged as insecure. Yes they are set view .htaccess.

AuthName "MyDomain.com statistics" AuthType Basic AuthUserFile /home/mydomain/.stats-htpasswd require valid-user deny from all

------ but adding your suggested mod_rewrite lines doesn't help. whether I put them at the beginning or end of the .htaccess file, the initial handshake with basic auth dialog for user/password is still running under http (no SSL)

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

AuthName "minimela.com statistics" AuthType Basic AuthUserFile /home/minimela/.stats-htpasswd require valid-user deny from all

Topic locked