I'm not sure if basic auth on my server is being secured

Jungroy asked:

This may be a really dumb question but I had to make sure that i’m fine with this.

I setup an HTTPS server with basic auth, but the browser informs me that the connection is not secured when i connect to the auth page, and tells me that the connection is secured after i sign in. I want to know whether this is safe, and if not, how can i make it secured?

Config(NGINX):

server {
    listen 80;
    server_name omv.jungroy.codes;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name omv.jungroy.codes;

    ssl_ceerificate (certpath);
    ssl_certificate_key (certkeypath);
    ssl_trusted_certificate (anotherpath);
    ssl_dhparam (dhparam);

    ssl_protocols TLSv1.2 TLSv1.3;                                                                                                                                          
    ssl_prefer_server_ciphers on;                                                                                                                                           
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA25$
    ssl_ecdh_curve secp384r1;                                                                                                                                               
    ssl_session_timeout 10m;                                                                                                                                                
    ssl_session_cache shared:SSL:10m;                                                                                                                                       
    ssl_session_tickets off;                                                                                                                                                
    ssl_stapling on;                                                                                                                                                        
    ssl_stapling_verify on;                                                                                                                                                 

    add_header X-Content-Type-Options "nosniff" always;                                                                                                                     
    add_header X-Frame-Options "SAMEORIGIN" always;                                                                                                                         
    add_header X-XSS-Protection "1; mode=block"                                                                                                                                                            

    location / {                                                                                                                                                    
        auth_basic 'Nothing to see here';                                                                                                                                                                                                

        proxy_pass http://localhost:4000/;                                                                                                                     
    }
}

Screenshot

My answer:


Your configuration appears fine; it’s the browser that is misbehaving.

Your site correctly redirected to https, and the basic auth request was sent to you over https. But the browser did not update the address bar before popping up the dialog. Interestingly, I was able to see this behavior both on Chrome and Firefox. Perhaps this is because the browser asked for the credentials before (from its perspective) the page load was complete? It’s a question for the browser developers.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.