hackney icon indicating copy to clipboard operation
hackney copied to clipboard
verified publisher icon benoitc

Is `insecure_basic_auth` error expected when using HTTP proxy with HTTPS destination?

Open lukasz-lapczyk opened this issue 8 months ago • 0 comments

Issue

I'm getting this error after upgrading to hackney 1.24.1 when using HTTPoison in Elixir:

{:insecure_basic_auth, "Basic authentication over HTTP is insecure..."}

Setup

options = [
  proxy: {"proxy.example.com", 8080},
  proxy_auth: {"proxy_user", "proxy_pass"},
  hackney: [basic_auth: {"api_user", "api_pass"}]
]

HTTPoison.post("https://api.secure-service.com/endpoint", body, headers, options)
  • hackney: 1.24.1
  • httpoison: 1.8.2

Question

Is this error expected? My understanding is:

  • HTTP connection to proxy only carries CONNECT commands (no sensitive data)
  • Actual API credentials are sent over HTTPS to the final destination
  • This is standard enterprise proxy architecture

Current Workaround

Adding hackney: [insecure_basic_auth: true] fixes it, but I want to confirm this is the right approach.

lukasz-lapczyk avatar Jun 25 '25 12:06 lukasz-lapczyk