I have Apache basic authentication enabled on a test server and it works great:
AuthType Basic
AuthName "testing"
AuthUserFile /home/www/.htpasswd
Require user MyUser
deny from all
But it is also trying to authenticate requests sent via the OPTIONS method. Which is a problem because the CORS specification says that you should Exclude user credentials
– https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
How do I disable authentication for requests coming in with the OPTIONS method?
(Similar to this for Tomcat: Disable authentication for OPTIONS requests in Tomcat )
Best Answer
You can perhaps use an Apache expression (Apache 2.4+) to only apply the HTTP Basic Auth directives when the request method is not "OPTIONS".
For example:
Reference:
https://httpd.apache.org/docs/2.4/expr.html
You shouldn't need to use this (Apache 2.2) directive with your Basic Auth directives.