Skip to main content

Basic auth string



The Basic authentication string detector aims at catching any triplet of host/username/password concatenated used for HTTP authentication.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.


As defined in RFC 2617 documentation, HTTP Basic Authentication is a way to authenticate by providing a username and a password when making a request to a service exposed by an host. These credentials can be encoded in the headers of the query, but they can also appear as plain text in a URI. This detector focuses on this latter case.

To do so, the basic authentication string detector starts by identifying documents that matches the https?:// regular expression and that satisfy some filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.

For this detector, host, username, and password must follow a specific set of rules to be considered as sensitive and therefore valid (the detector can also detect a specific port attached to the host if one exist):


  • Set of rules to filter irrelevant host names such as or the common host banlist identified by GitGuardian (see banlist hereunder).


  • Set of rules to filter common usernames banned such as test-user or foo (see banlist hereunder).


  • Set of rules to filter irrelevant passwords such as password or test (see banlist hereunder).

port (optional)

  • If Basic authentication string detector detects a port on the host, the value is added to the list of matches.

Revoke the secret

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.


Examples that WILL be caught

- text: >

username: 43f6017361224d098402974103bfc53d
password: a6a0538fc2934ba2bed32e08741b2cd3
port: '9000'
- text: >

username: 43f6017361224d098402974103bfc53d
password: a6a0538fc2934ba2bed32e08741b2cd3

Examples that WILL NOT be caught

  • Host name is not sensitive.
- text: >
  • Username is not sensitive.
- text: >
  • Password is not sensitive.
- text: >

Details for Basic auth string

  • High Recall: True

  • Validity Check: False

  • Minimum Number of Matches: 3

  • Occurrences found for one million commits: 87

  • Prefixed: True

  • PreValidators:

- type: FilenameBanlistPreValidator
- css
- storyboard
- xib
- node_modules(/|\\)
- vendors?(/|\\)
- top-1000\.txt$
- \.sops$
- \.sops\.yaml$
check_binaries: false
- type: ContentWhitelistPreValidator
- https?://
- type: CommonHostBanlistPostValidator
- type: ValueBanlistPostValidator
patterns: ['', 'host.xz']

- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
- \.env
- env[. ]
- str\(
- \.getenv\(
- \+[^+(\d]+?\+
- \{[^}(\d]+?\}
- token
- test-pass
- '123456'
- adminpwd
- mypass
- type: MinimumLengthPostValidator
length: 4

- type: CommonUsernameBanlistPostValidator
- type: ValueBanlistPostValidator
patterns: ['mailto', 'login', 'test-user', 'admin2', 'demo', 'myuser']
- type: MinimumLengthPostValidator
length: 4

How can I help you ?