Authorization

La richiesta header HTTP Authorization contiene le credenziali per autenticare un utente con il server, solitamente dopo che il server ha risposto con 401 Unauthorized status e con un header WWW-Authenticate .

Tipo Header richiesta header
Header name proibito no

Sintassi

Authorization: <tipo> <credenziali>

Direttive

<tipo>
Tipo di autenticazione. Un tipo comune è "Basic". Altri tipi sono:
<credenziali>
Se viene usato il tipo di autenticazione "Basic" le credenziali sono formate in questo modo:
  • Lo username e la password sono combinate con il simbolo dei due punti (aladdin:opensesame).
  • La stringa risultante è codificata in base64 (YWxhZGRpbjpvcGVuc2VzYW1l).

Note: La codifica Base64 non significa che venga effettuato un hash o una cifratura! Questo metodo è sicuro tanto quanto mandare le credenziali in chiaro (base64 è un codifica reversibile). Preferibilmente usa la Basic Authentication assieme al protocollo HTTPS.

Esempi

Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

Guarda anche HTTP authentication per esempi su come configurare i server Apache o nginx con password per proteggere i tuoi siti con l'autenticazione HTTP.

Specifiche

Specification Title
RFC 7235, section 4.2: Authorization HTTP/1.1: Authentication
RFC 7617 The 'Basic' HTTP Authentication Scheme

Vedi anche

Ultima modifica:

, by MDN contributors
Argomenti correlati
  1. HTTP
  2. Guides:
  3. Resources and URIs
    1. Identifying resources on the Web
    2. Data URIs
    3. Introduction to MIME Types
    4. Complete list of MIME Types
    5. Choosing between www and non-www URLs
  4. HTTP guide
    1. Basics of HTTP
    2. Overview of HTTP
    3. Evolution of HTTP
    4. HTTP Messages
    5. A typical HTTP session
    6. Connection management in HTTP/1.x
    7. Protocol upgrade mechanism
  5. HTTP security
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP access control (CORS)
  7. HTTP authentication
  8. HTTP caching
  9. HTTP compression
  10. HTTP conditional requests
  11. HTTP content negotiation
  12. HTTP cookies
  13. HTTP range requests
  14. HTTP redirects
  15. HTTP specifications
  16. Feature policy
  17. References:
  18. HTTP headers
    1. Accept [Translate]
    2. Accept-Charset [Translate]
    3. Accept-Encoding [Translate]
    4. Accept-Language [Translate]
    5. Accept-Patch [Translate]
    6. Accept-Ranges [Translate]
    7. Access-Control-Allow-Credentials [Translate]
    8. Access-Control-Allow-Headers [Translate]
    9. Access-Control-Allow-Methods [Translate]
    10. Access-Control-Allow-Origin [Translate]
    11. Access-Control-Expose-Headers [Translate]
    12. Access-Control-Max-Age [Translate]
    13. Access-Control-Request-Headers [Translate]
    14. Access-Control-Request-Method [Translate]
    15. Age
    16. Allow [Translate]
    17. Alt-Svc [Translate]
    18. Authorization
    19. Cache-Control [Translate]
    20. Clear-Site-Data [Translate]
    21. Connection [Translate]
    22. Content-Disposition [Translate]
    23. Content-Encoding [Translate]
    24. Content-Language [Translate]
    25. Content-Length [Translate]
    26. Content-Location [Translate]
    27. Content-Range [Translate]
    28. Content-Security-Policy [Translate]
    29. Content-Security-Policy-Report-Only [Translate]
    30. Content-Type [Translate]
    31. Cookie
    32. Cookie2 [Translate]
    33. Cross-Origin-Resource-Policy [Translate]
    34. DNT [Translate]
    35. Date [Translate]
    36. Digest [Translate]
    37. ETag [Translate]
    38. Early-Data [Translate]
    39. Expect [Translate]
    40. Expect-CT [Translate]
    41. Expires [Translate]
    42. Feature-Policy [Translate]
    43. Forwarded [Translate]
    44. From [Translate]
    45. Host [Translate]
    46. If-Match [Translate]
    47. If-Modified-Since [Translate]
    48. If-None-Match [Translate]
    49. If-Range [Translate]
    50. If-Unmodified-Since [Translate]
    51. Index [Translate]
    52. Keep-Alive [Translate]
    53. Large-Allocation [Translate]
    54. Last-Modified [Translate]
    55. Link [Translate]
    56. Location [Translate]
    57. Origin [Translate]
    58. Pragma [Translate]
    59. Proxy-Authenticate [Translate]
    60. Proxy-Authorization [Translate]
    61. Public-Key-Pins [Translate]
    62. Public-Key-Pins-Report-Only [Translate]
    63. Range [Translate]
    64. Referer [Translate]
    65. Referrer-Policy [Translate]
    66. Retry-After [Translate]
    67. Save-Data [Translate]
    68. Sec-WebSocket-Accept [Translate]
    69. Server
    70. Server-Timing [Translate]
    71. Set-Cookie [Translate]
    72. Set-Cookie2 [Translate]
    73. SourceMap [Translate]
    74. Strict-Transport-Security
    75. TE [Translate]
    76. Timing-Allow-Origin [Translate]
    77. Tk [Translate]
    78. Trailer [Translate]
    79. Transfer-Encoding [Translate]
    80. Upgrade-Insecure-Requests [Translate]
    81. User-Agent [Translate]
    82. Vary [Translate]
    83. Via [Translate]
    84. WWW-Authenticate [Translate]
    85. Want-Digest [Translate]
    86. Warning [Translate]
    87. X-Content-Type-Options
    88. X-DNS-Prefetch-Control [Translate]
    89. X-Forwarded-For [Translate]
    90. X-Forwarded-Host [Translate]
    91. X-Forwarded-Proto [Translate]
    92. X-Frame-Options [Translate]
    93. X-XSS-Protection
  19. HTTP request methods
    1. CONNECT [Translate]
    2. DELETE [Translate]
    3. GET [Translate]
    4. HEAD [Translate]
    5. OPTIONS [Translate]
    6. PATCH [Translate]
    7. POST [Translate]
    8. PUT [Translate]
    9. TRACE [Translate]
  20. HTTP response status codes
    1. 100 Continue [Translate]
    2. 101 switch di protocolli
    3. 103 Early Hints [Translate]
    4. 200 OK
    5. 201 Created [Translate]
    6. 202 Accepted [Translate]
    7. 203 Non-Authoritative Information [Translate]
    8. 204 No Content [Translate]
    9. 205 Reset Content [Translate]
    10. 206 Partial Content [Translate]
    11. 300 Multiple Choices [Translate]
    12. 301 Moved Permanently [Translate]
    13. 302 Found
    14. 303 See Other [Translate]
    15. 304 Not Modified [Translate]
    16. 307 Temporary Redirect [Translate]
    17. 308 Permanent Redirect [Translate]
    18. 400 Bad Request [Translate]
    19. 401 Unauthorized [Translate]
    20. 402 Payment Required [Translate]
    21. 403 Forbidden [Translate]
    22. 404 Not Found
    23. 405 Method Not Allowed [Translate]
    24. 406 Not Acceptable [Translate]
    25. 407 Proxy Authentication Required [Translate]
    26. 408 Request Timeout [Translate]
    27. 409 Conflict [Translate]
    28. 410 Gone [Translate]
    29. 411 Length Required [Translate]
    30. 412 Precondition Failed [Translate]
    31. 413 Payload Too Large [Translate]
    32. 414 URI Too Long [Translate]
    33. 415 Unsupported Media Type [Translate]
    34. 416 Range Not Satisfiable [Translate]
    35. 417 Expectation Failed [Translate]
    36. 418 I'm a teapot [Translate]
    37. 422 Unprocessable Entity [Translate]
    38. 425 Too Early [Translate]
    39. 426 Upgrade Required [Translate]
    40. 428 Precondition Required [Translate]
    41. 429 Too Many Requests [Translate]
    42. 431 Request Header Fields Too Large [Translate]
    43. 451 Unavailable For Legal Reasons [Translate]
    44. 500 Internal Server Error
    45. 501 Not Implemented [Translate]
    46. 502 Bad Gateway [Translate]
    47. 503 Service Unavailable [Translate]
    48. 504 Gateway Timeout [Translate]
    49. 505 HTTP Version Not Supported [Translate]
    50. 511 Network Authentication Required [Translate]
  21. CSP directives
    1. CSP: base-uri [Translate]
    2. CSP: block-all-mixed-content [Translate]
    3. CSP: child-src [Translate]
    4. CSP: connect-src [Translate]
    5. CSP: default-src [Translate]
    6. CSP: font-src [Translate]
    7. CSP: form-action [Translate]
    8. CSP: frame-ancestors [Translate]
    9. CSP: frame-src [Translate]
    10. CSP: img-src [Translate]
    11. CSP: manifest-src [Translate]
    12. CSP: media-src [Translate]
    13. CSP: navigate-to [Translate]
    14. CSP: object-src [Translate]
    15. CSP: plugin-types [Translate]
    16. CSP: prefetch-src [Translate]
    17. CSP: referrer [Translate]
    18. CSP: report-to [Translate]
    19. CSP: report-uri [Translate]
    20. CSP: require-sri-for [Translate]
    21. CSP: sandbox [Translate]
    22. CSP: script-src [Translate]
    23. CSP: script-src-attr [Translate]
    24. CSP: script-src-elem [Translate]
    25. CSP: style-src [Translate]
    26. CSP: style-src-attr [Translate]
    27. CSP: style-src-elem [Translate]
    28. CSP: trusted-types [Translate]
    29. CSP: upgrade-insecure-requests [Translate]
    30. CSP: worker-src [Translate]
  22. CORS errors
    1. Reason: CORS disabled [Translate]
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz' [Translate]
    3. Errore: CORS header 'Access-Control-Allow-Origin' missing
    4. Reason: CORS header ‘Origin’ cannot be added [Translate]
    5. Reason: CORS preflight channel did not succeed [Translate]
    6. Motivo : Richiesta CORS Fallita
    7. Reason: CORS request external redirect not allowed [Translate]
    8. Reason: CORS request not HTTP [Translate]
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’ [Translate]
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed [Translate]
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’ [Translate]
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ [Translate]
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel [Translate]
  23. Feature-Policy directives
    1. Feature-Policy: accelerometer [Translate]
    2. Feature-Policy: ambient-light-sensor [Translate]
    3. Feature-Policy: autoplay [Translate]
    4. Feature-Policy: camera [Translate]
    5. Feature-Policy: display-capture [Translate]
    6. Feature-Policy: document-domain [Translate]
    7. Feature-Policy: encrypted-media [Translate]
    8. Feature-Policy: fullscreen [Translate]
    9. Feature-Policy: geolocation [Translate]
    10. Feature-Policy: gyroscope [Translate]
    11. Feature-Policy: layout-animations [Translate]
    12. Feature-Policy: legacy-image-formats [Translate]
    13. Feature-Policy: magnetometer [Translate]
    14. Feature-Policy: microphone [Translate]
    15. Feature-Policy: midi [Translate]
    16. Feature-Policy: oversized-images [Translate]
    17. Feature-Policy: payment [Translate]
    18. Feature-Policy: picture-in-picture [Translate]
    19. Feature-Policy: speaker [Translate]
    20. Feature-Policy: sync-xhr [Translate]
    21. Feature-Policy: unoptimized-images [Translate]
    22. Feature-Policy: unsized-media [Translate]
    23. Feature-Policy: usb [Translate]
    24. Feature-Policy: vibrate [Translate]
    25. Feature-Policy: vr [Translate]
    26. Feature-Policy: wake-lock [Translate]
    27. Feature-Policy: webauthn [Translate]
    28. Feature-Policy: xr [Translate]