We had a security audit, and one of the recommendations* is that we stop using HTTP Basic Authentication, which sends username (consumer key) and password (consumer secret) with basically no protection over the wire (just Base64 encoding). However, we're using *only* https endpoints and SSL, thus our traffic is encrypted even when using Basic Auth. Therefore, I'm wondering if the security firm's recommendation even makes sense.

I searched the Apigee documentation at http://docs.apigee.com/api-services/reference/, but did not see any built-in support for HTTP Digest access authentication.

What would be the easiest way to implement this for our proxies?

* Recommendation:

Implement an authentication mechanism that does not include the username and password in clear text in the HTTP headers. For example, HTTP Digest authentication uses cryptographic techniques to avoid directly exposing the user's password in HTTP requests.