Securing passwords for REST Authentication

The following links may provide you with an in-depth answer:

  • REST security standards
  • I just send username and password over https. Is this ok?
  • https://stackoverflow.com/questions/3461298/password-hashing-non-ssl

Please keep in mind that it is better to not use the username-password combination in every request that you make. Better is to authenticate the user, generate a token server-side, communicate it to the client (e.g. in a cookie) and use that token as authentication for subsequent requests. This link can guide you in that process: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md.