a project


Enables HTTP Basic Authentication, which can be used to protect directories and files with a username and hashed password.

Note that basic auth is not secure over plain HTTP. Use discretion when deciding what to protect with HTTP Basic Authentication.

When a user requests a resource that is protected, the browser will prompt the user for a username and password if they have not already supplied one. If the proper credentials are present in the Authorization header, the server will grant access to the resource. If the header is missing or the credentials are incorrect, the server will respond with HTTP 401 Unauthorized.

Caddy configuration does not accept plaintext passwords; you MUST hash them before putting them into the configuration. The caddy hash-password command can help with this.

After a successful authentication, the {} placeholder will be available, which contains the authenticated username.


basicauth [<matcher>] [<hash_algorithm> [<realm>]] {
	<username> <hashed_password> [<salt_base64>]
  • <hash_algorithm> is the name of the password hashing algorithm (or KDF) used for the hashes in this configuration. Default: bcrypt

  • <realm> is a custom realm name.

  • <username> is a username or user ID.

  • <hashed_password> is the password hash.

  • <salt_base64> is the base-64 encoding of the password salt, if an external salt is required. This was only needed for the scrypt algorithm which is now deprecated. Subject to removal.


Protect all resources in /secret so only Bob can access them with the password "hiccup":

basicauth /secret/* {
	Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG