@phenomlab one could argue that there is nothing cleaner than basic auth from a web server 😄
@julian true, yes, but cleaner in my view at application level
Certainly both can be argued as true. My understanding of security best practices is generally speaking to block the bad stuff as far upstream as operationally feasible. Hence, if asked, I would recommend enforcing at the web sever level.
Additionally, in keeping with best practices, had I cause to be extra paranoid and/or protecting some "higher" value asset, I would recommend also enforcing/checking the policy once again at the app level. Layered onions, and all that.
So, like many things, not a simple either/or. Unless you want it to be? Seeing the simplicity in the complex is also desirable trait cuz your security posture also needs to be maintainable. For you and your resource commitment levels, eh? 🤔
Have a groovy day. ✌ 🐕 🌴