2

I have Apache basic authentication enabled on a test server and it works great:

AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser

deny from all

But it is also trying to authenticate requests sent via the OPTIONS method. Which is a problem because the CORS specification says that you should Exclude user credentials - https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0

How do I disable authentication for requests coming in with the OPTIONS method?

(Similar to this for Tomcat: Disable authentication for OPTIONS requests in Tomcat )

GIS-Jonathan
  • 123
  • 1
  • 4

1 Answers1

1

You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".

For example:

<If "%{REQUEST_METHOD} != 'OPTIONS'">
# Authentication directives...
</If>

Reference:

https://httpd.apache.org/docs/2.4/expr.html

deny from all

You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.

MrWhite
  • 11,643
  • 4
  • 25
  • 40