improv example the help file

javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp

@@ -21,6 +21,20 @@
 </p>
 </recommendation>
 
+<example>
+  <p>
+    The following code example connects to an HTTP request using an hard-codes authentication header
+  </p>
+
+  <sample src="examples/HardcodedCredentialsHttpRequest.js"/>
+
+  <p>
+    Instead, user name and password can be supplied through the environment variables
+    <code>username</code> and <code>password</code>, which can be set externally without hard-coding
+    credentials in the source code.
+  </p>
+</example>
+
 <example>
   <p>
     The following code example connects to a Postgres database using the <code>pg</code> package

javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequest.js

@@ -0,0 +1,18 @@
+let base64 = require('base-64');
+
+let url = 'http://example.org/auth';
+let username = 'user';
+let password = 'passwd';
+
+let headers = new Headers();
+
+//headers.append('Content-Type', 'text/json');
+headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
+
+fetch(url, {method:'GET',
+        headers: headers,
+        //credentials: 'user:passwd'
+       })
+.then(response => response.json())
+.then(json => console.log(json));
+//.done();