Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.
// Using HttpPost from Apache HttpClient String encoding = Base64Encoder.encode ("login:passwd"); org.apache.http.client.methods.HttpPost httppost = new HttpPost(url); httppost.setHeader("Authorization", "Basic " + encoding); // Noncompliant or // Using HttpURLConnection String encoding = Base64.getEncoder().encodeToString(("login:passwd").getBytes(‌"UTF‌​-8"​)); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); conn.setRequestProperty("Authorization", "Basic " + encoding); // Noncompliant