diff --git a/httpbin/core.py b/httpbin/core.py
index 305c9882..18ffd876 100644
--- a/httpbin/core.py
+++ b/httpbin/core.py
@@ -941,8 +941,10 @@ def delete_cookies():
     return r
 
 
+@app.route("/basic-auth")
+@app.route("/basic-auth/<user>")
 @app.route("/basic-auth/<user>/<passwd>")
-def basic_auth(user="user", passwd="passwd"):
+def basic_auth(user="", passwd=""):
     """Prompts the user for authorization using HTTP Basic Auth.
     ---
     tags:
diff --git a/test_httpbin.py b/test_httpbin.py
index b7104ffc..4b430e5c 100755
--- a/test_httpbin.py
+++ b/test_httpbin.py
@@ -234,10 +234,29 @@ def test_set_cors_headers_after_request(self):
         )
 
     def test_set_cors_credentials_headers_after_auth_request(self):
-        response = self.app.get('/basic-auth/foo/bar')
+        self._test_set_cors_credentials_headers_after_auth_request('/basic-auth/foo/bar', 'Basic Zm9vOmJhcg==')
+        self._test_set_cors_credentials_headers_after_auth_request('/basic-auth/foo', 'Basic Zm9vOg==')
+        self._test_set_cors_credentials_headers_after_auth_request('/basic-auth', 'Basic Og==')
+
+    def _test_set_cors_credentials_headers_after_auth_request(self, path, basic_auth):
+        response = self.app.get(path)
         self.assertEqual(
             response.headers.get('Access-Control-Allow-Credentials'), 'true'
         )
+        self.assertEqual(
+            response.headers.get('Www-Authenticate'), 'Basic realm="Fake Realm"'
+        )
+        self.assertEqual(
+            response.status_code, 401
+        )
+        response = self.app.get(path, headers={'Authorization': 'Basic BADHASH=='})
+        self.assertEqual(
+            response.status_code, 401
+        )
+        response = self.app.get(path, headers={'Authorization': basic_auth})
+        self.assertEqual(
+            response.status_code, 200
+        )
 
     def test_set_cors_headers_after_request_with_request_origin(self):
         response = self.app.get('/get', headers={'Origin': 'origin'})