The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
this will avoid timing attacks against applications that use basic auth. CVE-2015-7576