Without HTTPS and a limit on the number of attempts, it is better not to use it. If it is possible to configure access using client certificates, it is better not to use it at all.

The answer to the question is easily obtained from understanding how this mechanism works. Here is the rfc link. From it, we understand that the mechanism is extremely primitive, the login and password are concatenated as strings, and we encode the resulting string using the base64 algorithm, then set the http header with this string and send it to the server. Next, we can take the ssl technology for the http protocol and, according to its mechanism, we can find out that in addition to the server name (if we take the eSNI technology, the server name is also encrypted), all http protocol data is encrypted more securely (but depends on the client / browser settings and server), this mechanism will protect against interception of data on the way to the server. The next problem is storing logins and passwords in clear text on the server. To protect them, there are several ways, we use an https service that goes over ssl to ad / ldap and checks our pair there. The number of calls to the server is limited from one ip address on the web server, the number of calls with one login is limited by our ad / ldap from one source. The service that goes to ad/ldap is separate from the web server. The service that goes to ldap has access details only at runtime, and in case of a crash, it is restarted by an okestrator that takes access details to ldap from the vault service, for which a limit on the number of starts is also set.
We also have hsts to prevent ssl certificate spoofing on the client, and on the server side we limit ssl algorithms to only the most reliable ones. This is not ideal, and there are more advanced methods that, for example, are now being implemented by Facebook (there is also a similar service from Russian-speaking developers).

Without https it is better not to use.