QA How-To
How to Handle basic auth in Selenium (2026)
Learn selenium how to handle basic auth securely across local, Grid, and CI runs, with strategy comparisons, negative tests, and credential-safe Java code.
18 min read | 4,246 words
TL;DR
To handle HTTP Basic Authentication in Selenium, choose a secure authentication strategy, avoid brittle browser prompts, validate successful and rejected credentials, and keep secrets out of source code and reports. Use Selenium 4 public APIs, explicit waits, precise assertions, isolated test state, and reliable cleanup.
Key Takeaways
- Treat HTTP Basic Authentication in Selenium as a state transition with a clear postcondition.
- Use explicit, bounded synchronization instead of fixed sleeps.
- Verify the business result, not only that WebDriver issued a command.
- Keep test data and artifacts isolated for safe parallel execution.
- Capture diagnostic context without exposing secrets or personal data.
- Run the scenario with CI-equivalent browser and environment settings.
selenium how to handle basic auth means more than making WebDriver perform an action. The dependable solution is to choose a secure authentication strategy, avoid brittle browser prompts, validate successful and rejected credentials, and keep secrets out of source code and reports. This guide shows a Java and Selenium 4 approach that remains readable in local runs, headless CI, and remote execution.
The examples use public WebDriver APIs and JUnit 5. Selenium Manager is available through the normal driver constructor, so the examples do not hard-code a driver executable path. Adapt locators and application URLs to your system, but keep the synchronization, evidence, security, and assertion boundaries intact.
TL;DR
- Identify the browser or application state that proves the operation is ready.
- Use a bounded explicit wait, not a fixed sleep.
- Verify the business result, not only the WebDriver command.
- Isolate test data and execution artifacts for parallel safety.
- Capture safe diagnostic context and always clean up.
| Strategy | Portability | Security and maintenance |
|---|---|---|
| Credentials in URL | Inconsistent in modern browsers | Can leak through logs and history |
| Direct HTTP contract test | High | Excellent for challenge and response behavior |
| Test-only authenticated session | Application dependent | Stable when reviewed and access controlled |
| Browser network integration | Browser and binding dependent | Powerful but requires compatibility ownership |
| Native prompt automation | Low | Platform-specific and brittle |
1. Understand HTTP Basic Authentication
Recognize the HTTP challenge and Authorization header exchange. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Confusing HTTP auth with an HTML login form leads to unusable locators. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Inspect the 401 response and WWW-Authenticate header with browser or service diagnostics. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. The related guide to API test automation framework design provides a useful pattern when this flow has synchronization or design concerns.
What to assert
The test identifies the protection boundary before choosing tooling. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
2. Choose the Right Basic Auth Strategy
Select a browser-supported or protocol-level approach based on coverage intent. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
One workaround may fail across browsers, Grid, proxies, or security policies. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Compare URL credentials, authenticated request setup, browser network support, and test-environment bypasses. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. The related guide to Selenium Grid interview questions provides a useful pattern when this flow has synchronization or design concerns.
What to assert
The strategy has explicit browser and environment support. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
3. Use URL Credentials Only as a Limited Fallback
Understand the historical username and password URL syntax without treating it as universal. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Modern browsers can reject, redact, or inconsistently handle embedded credentials. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Use it only after proving support in the exact browser matrix and never log the URL. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. The related guide to secure test data strategy provides a useful pattern when this flow has synchronization or design concerns.
What to assert
A compatibility test guards the chosen environment. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
4. Authenticate Through a Controlled Test Endpoint
Obtain or establish authenticated state outside brittle browser chrome when architecture permits. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
UI automation cannot reliably locate native authentication prompts. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Use a test API, reverse proxy rule, or preauthenticated session approved by the application team. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
The protected page still verifies authorization behavior. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
5. Use Selenium Network Capabilities Deliberately
Treat browser network or DevTools integration as browser-specific unless WebDriver support is standard for your binding. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Copying an example from another Selenium language can invent an unavailable API. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Check the installed Java binding and browser support, isolate the adapter, and provide a fallback. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
Unsupported browsers fail with a clear skip or configuration message. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
6. Keep Credentials Out of Code and Logs
Load secrets from environment or a managed CI secret store. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Basic credentials are merely encoded in transit and remain sensitive. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Redact URLs, headers, screenshots, and command output while using least-privilege accounts. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
A failed test publishes no password or Authorization value. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
7. Test Success, Failure, and Authorization Boundaries
Cover valid, invalid, missing, and insufficiently privileged identities. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
A single happy path proves neither rejection nor role enforcement. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Assert the protected resource, the 401 challenge, retry behavior, and downstream access control. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
Each identity receives only its intended outcome. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
8. Run Basic Auth Tests on Grid and CI
Account for proxy routing, remote browsers, secret injection, and parallel sessions. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Credentials that exist locally may never reach remote nodes. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Inject secrets at runtime, verify host allowlists, and isolate accounts or data. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
Remote runs authenticate without exposing credentials in capabilities. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
9. Troubleshoot Authentication Loops and 401 Responses
Separate bad credentials, wrong realm, proxy challenges, redirects, and cached state. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Repeated refreshes can lock accounts or obscure the first challenge. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Inspect status and headers outside the browser, start a clean profile, and test one layer at a time. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
The failing server and realm are identified. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
10. Selenium How to Handle Basic Auth Checklist
Document support, secret handling, negative cases, and cleanup. That is the practical center of HTTP Basic Authentication in Selenium. Start by naming the observable state before the action and the state expected afterward. A reliable test does not assume that a click, navigation, or command succeeded. It gathers evidence at the boundary where control moves between the test, browser, application, and operating environment.
Authentication shortcuts often survive long after their security assumptions change. This matters most on CI, where CPU load, filesystem speed, browser policy, viewport, locale, and network routing may differ from a developer laptop. Keep the scenario narrow and make preconditions visible in setup. If the action depends on data, use a known record and log its nonsecret identifier. If it depends on browser state, assert that state before proceeding. These habits make a failed assertion explain the product behavior rather than merely report a timeout.
Implementation approach
Review the approach with security and rerun compatibility checks during browser upgrades. Prefer a bounded explicit wait over an unbounded retry. Re-locate elements after navigation or a component rerender, and reserve JavaScript execution for cases where it represents the supported behavior rather than a way to bypass the UI. Keep the implementation close to the observable requirement so a reviewer can see why each wait and assertion exists.
What to assert
The suite fails safely when the integration changes. Add a negative or boundary check when it protects a distinct risk. Assertion messages should include expected state, safe actual state, and the step being performed. Do not print tokens, passwords, personal data, or full payloads. On failure, preserve enough context to reproduce the issue, then let cleanup run even if evidence collection itself encounters an error. This produces a test that is diagnostic, reviewable, and safe to run repeatedly.
11. selenium how to handle basic auth: Runnable Selenium 4 Java Example
The following example uses current, public Java APIs. Add Selenium Java and JUnit Jupiter to a Maven or Gradle test project, then run it with a locally installed supported browser. The normal driver constructor delegates driver discovery to Selenium Manager. Avoid copying only the central command. Setup, explicit synchronization, assertions, and cleanup are all part of the example's reliability contract.
import java.net.URI;
import java.net.http.*;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.Base64;
import org.junit.jupiter.api.*;
class BasicAuthContractTest {
@Test void validCredentialsReachProtectedResource() throws Exception {
String user = requireSecret("BASIC_AUTH_USER");
String password = requireSecret("BASIC_AUTH_PASSWORD");
String token = Base64.getEncoder().encodeToString(
(user + ":" + password).getBytes(StandardCharsets.UTF_8));
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://example.test/protected"))
.timeout(Duration.ofSeconds(10))
.header("Authorization", "Basic " + token)
.GET().build();
HttpResponse<String> response = HttpClient.newHttpClient()
.send(request, HttpResponse.BodyHandlers.ofString());
Assertions.assertEquals(200, response.statusCode());
Assertions.assertFalse(response.body().isBlank());
}
static String requireSecret(String name) {
String value = System.getenv(name);
if (value == null || value.isBlank()) throw new IllegalStateException(name + " is required");
return value;
}
}
Keep this example small enough to debug. In a production framework, move repeated browser lifecycle and evidence capture into focused fixtures, while keeping the test's business intent visible. Never create a universal helper that catches every exception and returns a boolean, because that destroys the original stack trace and weakens failure diagnosis.
Run the scenario twice locally, then once with the same headless and browser arguments used by CI. A passing run should leave no shared state. A failing run should name the unmet condition and preserve safe evidence. Review Selenium Grid interview questions before turning the example into a larger page-object abstraction.
Interview Questions and Answers
A strong interview response explains both the Selenium API and the engineering reason behind it. Use the answers below as models, then add a brief example from your own framework.
Q: Is Basic Authentication an HTML login form?
No. The server returns a 401 challenge and the browser handles credentials outside the page DOM. Normal Selenium element locators cannot reliably automate that browser-owned prompt.
Q: Can you put username and password in the URL?
The historical syntax exists, but modern browser behavior and security policy are inconsistent. Treat it as a limited, verified fallback and never expose that URL in logs.
Q: What is the safest way to store Basic Auth credentials?
Use a managed CI secret store or runtime environment variables with least-privilege test accounts. Redact credentials and Authorization headers from every artifact.
Q: Should Basic Auth be tested with Selenium or an API client?
Use an API client for detailed challenge, status, header, and negative-case coverage. Use Selenium for the protected user journey after authenticated state is established through a supported mechanism.
Q: Why does Basic Auth fail on Selenium Grid?
The remote browser, proxy, node policy, or capability set may differ from local execution. Confirm where the challenge originates and how credentials reach that remote session without appearing in capabilities or logs.
Q: What negative Basic Auth cases matter?
Test missing, malformed, invalid, expired, and insufficiently privileged credentials as applicable. Assert both the response and that protected content is not exposed.
Q: How do you troubleshoot repeated authentication prompts?
Start with a clean profile and inspect the first 401 plus WWW-Authenticate realm. Verify redirects and proxies because a second server can issue a different challenge.
Common Mistakes
- Trying to locate a browser-owned auth prompt with CSS or XPath. Explain what state the test assumes, replace the assumption with an observable condition, and add a focused postcondition. During review, ask whether this mistake could create a false pass, a flaky failure, leaked data, or a result that cannot be diagnosed on CI.
- Hard-coding credentials in source control. Explain what state the test assumes, replace the assumption with an observable condition, and add a focused postcondition. During review, ask whether this mistake could create a false pass, a flaky failure, leaked data, or a result that cannot be diagnosed on CI.
- Printing credential-bearing URLs or Authorization headers. Explain what state the test assumes, replace the assumption with an observable condition, and add a focused postcondition. During review, ask whether this mistake could create a false pass, a flaky failure, leaked data, or a result that cannot be diagnosed on CI.
- Assuming embedded URL credentials work in every browser. Explain what state the test assumes, replace the assumption with an observable condition, and add a focused postcondition. During review, ask whether this mistake could create a false pass, a flaky failure, leaked data, or a result that cannot be diagnosed on CI.
- Testing only valid credentials. Explain what state the test assumes, replace the assumption with an observable condition, and add a focused postcondition. During review, ask whether this mistake could create a false pass, a flaky failure, leaked data, or a result that cannot be diagnosed on CI.
- Sharing one mutable account across parallel tests. Explain what state the test assumes, replace the assumption with an observable condition, and add a focused postcondition. During review, ask whether this mistake could create a false pass, a flaky failure, leaked data, or a result that cannot be diagnosed on CI.
Conclusion
The practical answer to selenium how to handle basic auth is to choose a secure authentication strategy, avoid brittle browser prompts, validate successful and rejected credentials, and keep secrets out of source code and reports. The WebDriver call is only one part of the solution. Deterministic setup, state-based synchronization, business-focused assertions, secure evidence, and unconditional cleanup are what make the test trustworthy.
Start with one representative happy path, add the most valuable negative or boundary case, and run both under CI-equivalent conditions. Then extract only the mechanics that genuinely repeat. That sequence gives the team maintainable coverage without hiding the behavior that an engineer needs to understand when a test fails.
Interview Questions and Answers
Is Basic Authentication an HTML login form?
No. The server returns a 401 challenge and the browser handles credentials outside the page DOM. Normal Selenium element locators cannot reliably automate that browser-owned prompt.
Can you put username and password in the URL?
The historical syntax exists, but modern browser behavior and security policy are inconsistent. Treat it as a limited, verified fallback and never expose that URL in logs.
What is the safest way to store Basic Auth credentials?
Use a managed CI secret store or runtime environment variables with least-privilege test accounts. Redact credentials and Authorization headers from every artifact.
Should Basic Auth be tested with Selenium or an API client?
Use an API client for detailed challenge, status, header, and negative-case coverage. Use Selenium for the protected user journey after authenticated state is established through a supported mechanism.
Why does Basic Auth fail on Selenium Grid?
The remote browser, proxy, node policy, or capability set may differ from local execution. Confirm where the challenge originates and how credentials reach that remote session without appearing in capabilities or logs.
What negative Basic Auth cases matter?
Test missing, malformed, invalid, expired, and insufficiently privileged credentials as applicable. Assert both the response and that protected content is not exposed.
How do you troubleshoot repeated authentication prompts?
Start with a clean profile and inspect the first 401 plus WWW-Authenticate realm. Verify redirects and proxies because a second server can issue a different challenge.
Frequently Asked Questions
Is Basic Authentication an HTML login form?
No. The server returns a 401 challenge and the browser handles credentials outside the page DOM. Normal Selenium element locators cannot reliably automate that browser-owned prompt.
Can you put username and password in the URL?
The historical syntax exists, but modern browser behavior and security policy are inconsistent. Treat it as a limited, verified fallback and never expose that URL in logs.
What is the safest way to store Basic Auth credentials?
Use a managed CI secret store or runtime environment variables with least-privilege test accounts. Redact credentials and Authorization headers from every artifact.
Should Basic Auth be tested with Selenium or an API client?
Use an API client for detailed challenge, status, header, and negative-case coverage. Use Selenium for the protected user journey after authenticated state is established through a supported mechanism.
Why does Basic Auth fail on Selenium Grid?
The remote browser, proxy, node policy, or capability set may differ from local execution. Confirm where the challenge originates and how credentials reach that remote session without appearing in capabilities or logs.
What negative Basic Auth cases matter?
Test missing, malformed, invalid, expired, and insufficiently privileged credentials as applicable. Assert both the response and that protected content is not exposed.