Http Authorization Header
Detects HTTP Authorization header patterns containing Bearer tokens, Basic credentials, and other authentication schemes. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: Authorization header with Bearer or Basic scheme prefix followed by token value is a well-defined HTTP authentication pattern. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Verified
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- specific
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
\bAuthorization:\s*(Bearer|Basic)\s+[A-Za-z0-9+/=._~-]{10,}Corroborative evidence keywords
Authorization, Bearer, Basic, token, header, HTTP, authentication, API, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+44 more)
Proximity: 300 characters
Should match
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.AAAA0000.BBBB1111— Bearer token with JWT formatAuthorization: Basic QUFBQUJCQUJCQ0NDQ0RERURFRUV=— Basic auth with Base64 credentialsAuthorization: Bearer AAAA0000BBBB1111CCCC2222DDDD3333— Bearer token with opaque token format
Should not match
Authorization:— Empty authorization headerThe Authorization header is required— Documentation reference without actual headertemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- API documentation and HTTP specification references showing Authorization header examples. Mitigation: Check for common placeholder tokens and documentation context.
- Log files containing Authorization headers with redacted or expired tokens. Mitigation: Check for redaction markers like [REDACTED] or expired JWT timestamps.