Pass username and password in URL for HTTP Basic Auth

Is the client actually sending this in the authorization header?

It depends on what the client is. If the client is a browser, the answer is no. Here is the result of the experiment:

• Chrome does not send authorization header.
• Firefox does not send authorization header. Firefox will also offer a confirmation dialog as it is weird to proactively send authentication information.
• Safari doesn't send authorization header. Safari will first display a warning page as it suspects the URL belongs to a fishing site.
• Opera does not send an authorization header.
• I am on Mac and cannot run the experiment on IE / Edge. But according to another browser this is reasonable, I think IE / Edge will act the same. Anyway, I would appreciate it if someone takes the experiment and gets the result.

Generally speaking, the browser will ignore authentication information proactively sent to the URL for security reasons.

However, if the client is a development tool, the authentication information can be base64 encoded and sent as an authorization header. Here are some results from the experiment:

• In curl, yes, the authorization header is sent.
• No authorization header is sent to Postman.

Whether the authorization header is sent depending on the design of the tool.

What kind of processing is needed on the server side for this type of URL encoding?

On the server side, all you have to do is get the base64 encoded string from the authorization header, decode it, and check if it is valid.

Would it be different if the HTTP protocol is used in the example url?

For security reasons, yes, the authorization header over HTTP is very insecure. Base64 encoding / decoding will not bring any security benefit, it can be decrypted by everyone.

Otherwise, they match.