When using Basic Authentication, a request without Authorization header is first sent to the server, and the server is supposed to respond with 401. Then the client tries again, this time with Authorization header.
According to http://en.wikipedia.org/wiki/Basic_access_authentication, a client may pre-emptively send the Authorization header in its first request.
This is a must when dealing with servers that does not respond with 401, but maybe a 200 and a login form in HTML (taken from a real life example).
It is possible to work around this problem in current version of HTTPBuilder, by setting the Authorization header manually, but it requires the user to know how Basic Authentication works.
A flag to enable Authorization header on first request would be a great new feature. With an update to the documentation about this flag, and why it might be considered a security risk.
The flag could be false by default, although other frameworks like groovy-wslite sends Authorization header on first request by default.