Basic Authentication
Basic Authentication adds a username/password prompt in front of your application at the ingress level. It is implemented via Traefik middleware — your application code needs no changes.
How it works
Traefik intercepts all requests and prompts for credentials before forwarding to your container. Authentication is per-domain; unauthenticated requests receive 401 Unauthorized.
Adding credentials
- Open the app and go to the Advanced tab.
- Scroll to the Basic Authentication card.
- Click Add Auth Credential.
- Enter a Username and Password.
- Click Save, then Deploy.
Redeployment required
All credential changes (add, edit, remove) require a redeployment to take effect.
Use cases
- Protecting staging environments from public access
- Adding an extra layer to admin panels
- Temporary access for clients or testers (easy to revoke)
Security considerations
Limitations
- Basic Auth transmits credentials as Base64 on every request — always use HTTPS.
- Not suitable as the sole authentication mechanism for sensitive data.
- No session — browsers re-send credentials on each request.
Recommendations
- Use strong, random passwords.
- Rotate credentials when access is no longer needed.
- Combine with network policies for sensitive apps.
Troubleshooting
| Symptom | Fix |
|---|---|
| Login prompt not appearing | Ensure app was redeployed after adding credentials |
| Prompt appears but credentials rejected | Clear browser cache; try incognito window |
| No credentials configured | Check that at least one credential is saved |
Related
- Network policies — Kubernetes-level traffic control
- Two-factor auth — 2FA for QuickStack UI access