Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
It is the HTTP request header carrying client credentials — like "Bearer <token>" or Basic base64 user:pass — that a server checks before granting access.
Authorization Header Definition: It is the HTTP request header carrying client credentials — like "Bearer <token>" or Basic base64 user:pass — that a server checks before granting access.
The Authorization header is a standard HTTP request header that carries credentials a client sends to prove it may access a protected resource. Defined in RFC 7235, it follows the form "Authorization:
It works as part of HTTP's challenge-response flow. When a client requests a protected resource without valid credentials, the server replies 401 Unauthorized with a WWW-Authenticate header naming the accepted scheme. The client then resends the request with an Authorization header containing credentials for that scheme: Basic concatenates user:password and Base64-encodes it; Bearer carries an OAuth 2.0 access token or JWT; API keys and HMAC signatures use custom or standard schemes. The server validates the credentials before processing the request.
It matters for security because this header is a high-value secret in transit. Basic auth is only Base64-encoded — not encrypted — so without TLS it is trivially decoded from intercepted traffic. Tokens placed here can be stolen via logging, referrer leakage, or man-in-the-middle attacks and then replayed. Best practice is to send the header only over HTTPS, prefer short-lived Bearer tokens over Basic auth, never log the header, and scope tokens narrowly so a leaked credential grants minimal access.
For example, a mobile app calling a REST API first obtains an OAuth 2.0 access token, then includes "Authorization: Bearer eyJhbGciOi..." on each request. The API gateway validates the token's signature, expiry, and scopes before routing the call. By contrast, a quick internal script might use "Authorization: Basic" with Base64 credentials — acceptable only behind TLS on a trusted network, since anyone capturing the request could reverse the encoding instantly.
Authorization Header is one of the topics you'll master in the Security+ Boot Camp.
Security+ Boot Camp →