There two method of HTTP authentication. basic or digest method.
On basic auth, Server describes WWW-Authenticate header with 401 Unauthorized response.
In this case, ID, PW exposure on WWW-Authenticate header.
you can web admin authentication Bypass.
Furthermore, the basic authentication client sends ID, Password by encoding base-64.
Anyone can decode ID, PW and get access to the server who captured parameter.