Securing passwords for REST Authentication
The following links may provide you with an in-depth answer:
- REST security standards
- I just send username and password over https. Is this ok?
- https://stackoverflow.com/questions/3461298/password-hashing-non-ssl
Please keep in mind that it is better to not use the username-password combination in every request that you make. Better is to authenticate the user, generate a token server-side, communicate it to the client (e.g. in a cookie) and use that token as authentication for subsequent requests. This link can guide you in that process: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md.