How does basic authentication work

1. client requests for a protected resource without supplying credential 2. server sends response with a 401 (unauthorized) status and WWW-Authenticate challenge header 3. client presents authentication realm to user and asks for username and password (actual implementation is user-agent dependent) 4. client constructs credential string using Base64-encoding (rfc 2045) and resends original request but with authorisation header GET /secret/index.html HTTP/1.1 Host: Authorization: Basic xXN0d.... 5. server verifies credentials and sends resource