I have python flask running on my server exposing a REST API that is being consumed by an iOS app. I'm using HTTP Basic Authentication using the Flask-HTTPAuth: module. I wanted to know how secure this is because the username:password string would be sent on every request.

Do I need to use HTTPS instead?

Thanks!

Sorry for bad english. Still learning.

Your current system is (very!) insecure, the login information can be seen during transit by anyone.

The easiest way to add secure HTTP is to install a proxy server like nginx. Then nginx is configured for secure HTTP, but it relays all the requests to the Flask application listening on a private socket without encryption.

This link will send you to the nginx documentation on secure HTTP.

Alternatively, you can have HTTPS running directly from Flask. The link has clear instructions of how to do this. It is a quick, easy method to use while developing.

For production, I'd use Apache's mod_ssl function, or as already stated by Miguel, nginx, as proxy servers.