HTTP Basic auth is a simple and effective way of putting super simple authentication in front of a web service. It is appropriate for securing small scale web services. Basic auth does send the credentials on every request, but ever since HTTPS is ubiquitous this is no problem.

When implementing Basic auth in a service today, I had a surprising experience from Bitwarden. When using the non-authenticated part of the website, I did not appear to be logged in. But as soon as I navigated to one of the authenticated parts, I was logged in immediately. Initially, I thought this was a problem with the code; maybe the protection wasn't set up correctly. Normally, autofill is instructed with the CMD + Shift + L keyboard shortcut. Autofilling on page load is disabled by default, for security reasons.

It appears that Bitwarden will autofill, without any notification or signal, the credentials for a website. This is desired behaviour. It will do this when it finds exactly one login that matches the URI.

Something to keep in mind when using basic auth for your service.