Accessed with basic auth.
\")\n\nif __name__ == '__main__':\n # To protect the entire site (e.g., for staging environments):\n # app.config['BASIC_AUTH_FORCE'] = True\n # Ensure BASIC_AUTH_USERNAME and BASIC_AUTH_PASSWORD are set as environment variables\n # or directly in app.config for production.\n app.run(debug=True)\n","lang":"python","description":"This quickstart initializes a Flask application with Flask-BasicAuth. It demonstrates protecting a single route (`/secret`) using the `@basic_auth.required` decorator. Credentials are loaded from environment variables for security, defaulting to 'admin' and 'secret'. The example also notes how to protect the entire application using `BASIC_AUTH_FORCE = True`."},"warnings":[{"fix":"Always deploy Flask applications using Flask-BasicAuth behind an HTTPS/TLS-enabled server (e.g., Nginx, Apache) in production environments.","message":"Basic Authentication sends credentials (username and password) in cleartext over the network, only Base64 encoded, which is easily reversible. It is CRITICAL to use HTTPS/TLS to encrypt the connection between the client and server. Without HTTPS, credentials can be easily intercepted.","severity":"breaking","affected_versions":"0.1.0 - 0.2.0"},{"fix":"Configure your reverse proxy to pass the `Authorization` header to the backend. For Apache/mod_wsgi, add `WSGIPassAuthorization On` to your configuration. For Nginx, ensure `proxy_set_header Authorization $http_authorization;` is set.","message":"When deploying Flask-BasicAuth behind a reverse proxy like Nginx or Apache with mod_wsgi, the proxy might strip the `Authorization` header, preventing Flask-BasicAuth from receiving the credentials.","severity":"gotcha","affected_versions":"0.1.0 - 0.2.0"},{"fix":"If experiencing issues with `BASIC_AUTH_FORCE`, consider explicitly decorating each protected view with `@basic_auth.required` or explore alternative Flask authentication extensions like `Flask-HTTPAuth`.","message":"The `BASIC_AUTH_FORCE = True` configuration, intended to protect the entire application, has been reported to cause continuous re-prompting for credentials in some browsers due to how authorization headers are handled.","severity":"gotcha","affected_versions":"0.1.0 - 0.2.0"},{"fix":"For production applications requiring secure user management and password storage, consider using more robust Flask extensions like `Flask-Login` combined with `Flask-Bcrypt`, or `Flask-HTTPAuth` which supports secure password hashing. Flask-BasicAuth is best suited for simple, low-security scenarios or protecting staging environments.","message":"Flask-BasicAuth performs a direct string comparison for usernames and passwords (cleartext comparison). It does not include mechanisms for secure password hashing (e.g., bcrypt, scrypt) or storage.","severity":"gotcha","affected_versions":"0.1.0 - 0.2.0"},{"fix":"For new projects or applications requiring ongoing maintenance and modern features, consider using actively developed alternatives such as `Flask-HTTPAuth` (for various HTTP auth schemes including Basic with hashed passwords) or `Flask-Login` (for session-based user management).","message":"This library has not been updated since June 2013, with Python 3 support only officially extending to Python 3.3. It is largely unmaintained, and may not be compatible with newer Flask versions or Python releases, or may lack features and security updates present in more active alternatives.","severity":"deprecated","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-13T00:00:00.000Z","next_check":"2026-07-12T00:00:00.000Z"}