485: HTTP Basic Auth

December 16, 2025

40 min episode · 2 min read

Joel Kenville,Adji Slater

Episode

40 min

Read time

2 min

AI-Generated Summary

Published Dec 22, 2025

Key Takeaways

✓Sidekiq Connection Pooling: Set database connection pool to 100-200 instead of matching concurrency exactly per dyno. This eliminates configuration complexity across environments since pools define maximum connections allowed, not connections created at boot time.
✓Basic Auth CSRF Protection: HTTP Basic Auth requires CSRF tokens on destructive endpoints because browsers automatically resend credentials on every request. Third-party sites can trigger authenticated requests via JavaScript or image URLs, enabling cross-site attacks even with CORS policies active.
✓PG Bouncer Architecture: Implement PG Bouncer as a global Postgres connection pool when scaling beyond basic setups. This centralizes connection management across all dynos and releases connections faster than per-dyno Active Record pools, improving IO efficiency at scale.
✓API Authentication Safety: APIs using OAuth tokens or bearer authentication don't need CSRF protection because tokens aren't automatically sent by browsers. Basic Auth and cookie-based sessions require CSRF tokens unless same-site cookie restrictions prevent cross-origin credential transmission.

What It Covers

The episode examines HTTP Basic Auth implementation, covering database connection pool configuration for Sidekiq workers, CSRF vulnerability mitigation strategies, and security trade-offs when using browser-based authentication versus token-based API authentication systems.

Key Questions Answered

•Sidekiq Connection Pooling: Set database connection pool to 100-200 instead of matching concurrency exactly per dyno. This eliminates configuration complexity across environments since pools define maximum connections allowed, not connections created at boot time.
•Basic Auth CSRF Protection: HTTP Basic Auth requires CSRF tokens on destructive endpoints because browsers automatically resend credentials on every request. Third-party sites can trigger authenticated requests via JavaScript or image URLs, enabling cross-site attacks even with CORS policies active.
•PG Bouncer Architecture: Implement PG Bouncer as a global Postgres connection pool when scaling beyond basic setups. This centralizes connection management across all dynos and releases connections faster than per-dyno Active Record pools, improving IO efficiency at scale.
•API Authentication Safety: APIs using OAuth tokens or bearer authentication don't need CSRF protection because tokens aren't automatically sent by browsers. Basic Auth and cookie-based sessions require CSRF tokens unless same-site cookie restrictions prevent cross-origin credential transmission.

Notable Moment

A Twitch streamer playing Mario 64 captured footage of the character instantly teleporting between platforms. The gaming community's best explanation attributes this visual glitch to a cosmic ray flipping a bit in memory during gameplay.

Know someone who'd find this useful?