How I can avoid requesting Basic Authentication when HTTP method is OPTIONS on Apache .htaccess?

Question

I am using HTTP basic authentication (username & password) in a site including API endpoints hosted in Apache, I am doing something like this on .htaccess:

AuthType Basic 
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen

Since I am consuming the API from browser side in a page hosted on another domain (the CORS part is already solved), I need to allow certain requests UNauthenticated. These requests are the request which method is "OPTIONS", (preflight as explained here: http://www.w3.org/TR/cors/#resource-preflight-requests), Please, i dont need any info about ajax or any other thing on the browser, I need to know how to do this on apache

Thanks in advance

score 9 · Answer 1 · answered May 12 '14 at 20:21

9

You can use mod_setenvif here.

SetEnvIfNoCase Request_Method OPTIONS allowed

AuthType Basic 
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen
Order deny,allow
Deny from all
Allow from env=allowed
Satisfy any

answered May 12 '14 at 20:21

anubhava

761,203
64
569
643

1

Thanks, I was missing : `Order deny,allow Deny from all Allow from env=allowed Satisfy any` to get the preflight operate correctly – Hugo P May 03 '17 at 12:14

How I can avoid requesting Basic Authentication when HTTP method is OPTIONS on Apache .htaccess?

1 Answers1