Why should you base64 encode the Authorization header?

夙愿已清 提交于 2019-12-03 14:00:31

Eventhough I can't find it in the w3 documentation, I believe that it is just protocol to encode the credentials of the Authorization header to base64, no matter what content it has. In the case of Twitter it doesn't make much difference as you said, but in other cases the credentials can contain these characters. To keep it uniform and prevent mistakes of whether it should be encoded or not, all credentials should be encoded.

Another reason could be, that browsers also encode the credentials the same way. Twitter probably also wants to accept that.

The Basic Authentication Scheme is described in the RFC7617 (and the old RFC2617).

This is a standard way to send password credentials to the server. The base64 encoding is used to encode credentials to allow non HTTP characters and multibytes strings to be sent.

By default, message header field parameters in Hypertext Transfer Protocol (HTTP) messages cannot carry characters outside the ISO- 8859-1 character set.

If user name and password contains incompatible charset than HTTP would not be able to carry those text. to prevent from this we encode user name and password with base64 to make sure we are sending HTTP compatible char over HTTP. for more information see this Basic_access_authentication

The string should be base64 encoded, not for security, but to encode non-HTTP-compatible characters into HTTP-compatible characters that may be in the username or password.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!