It was originally implemented by Ari Luotonen at CERN in 1993[1] and defined in the HTTP 1.0 specification in 1996.
Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password.
HTTP does not provide a method for a web server to instruct the client to "log out" the user.
[5][6] Brute forcing credentials is not actively prevented or detected (unless a server-side mechanism is used).
When the user agent wants to send authentication credentials to the server, it may use the Authorization header field.