Should http basic auth passwords be stored hashed serverside?

Passwords in general should be stored hashed on the server, no matter if they are transferred within some HTTP POST body as a result of a form submit or if they are transferred in the HTTP header as in Basic authentication.


Yes, it should be. The default backend for HTTP Basic Auth is htpasswd, and it encrypts passwords*:

htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine. Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

If you're setting up an alternative backend, such as a database, then you should provide salting and hashing as strong protections against password compromise.

*Note that, per the manual, "The SHA and crypt() formats are insecure by today's standards."