Enables HTTP Basic Authentication, which can be used to protect directories and files with a username and hashed password.

Note that basic auth is not secure over plain HTTP. Use discretion when deciding what to protect with HTTP Basic Authentication.

When a user requests a resource that is protected, the browser will prompt the user for a username and password if they have not already supplied one. If the proper credentials are present in the Authorization header, the server will grant access to the resource. If the header is missing or the credentials are incorrect, the server will respond with HTTP 401 Unauthorized.

Caddy configuration does not accept plaintext passwords; you MUST hash them before putting them into the configuration. The caddy hash-password command can help with this.


basicauth [<matcher>] [<hash_algorithm> [<realm>]] {
	<username> <hashed_password_base64> [<salt_base64>]
  • <hash_algorithm> is the name of the password hashing algorithm (or KDF) used for the hashes in this configuration. Can be bcrypt (default) or scrypt.
  • <realm> is a custom realm name.
  • <username> is a username or user ID.
  • <hashed_password_base64> is the base-64 encoding of the hashed password.
  • <salt_base64> is the base-64 encoding of the password salt, if an external salt is required.


Protect all resources in /secret so only Bob can access them with the password "hiccup":

basicauth /secret/* {