If I have a username/password in my settings.xml file for a (Nexus) remote repository with an HTTP (not HTTPS) URL, will this username/password be sent in plaintext to the remote server?
I'm wondering if there's a potential security issue with our public-facing HTTP-only password-authenticated Nexus server.
Maven uses HTTP Basic authentication to send the credentials. A typical HTTP header for this looks something along the lines of:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Where QWxhZGRpbjpvcGVuIHNlc2FtZQ== is actually a Base64-encoded representation of your username:password combination. This offers no security whatsoever, but it's not plain-text either.
For more details on HTTP Basic authentication, you can check here.
Most build tools like Maven, Ant, Gradle, SBT, npm, use HTTP Basic. That's not as secure as it should be. Using it over HTTPS could make you feel more secure. :)
