nginx-proxy icon indicating copy to clipboard operation
nginx-proxy copied to clipboard
verified publisher icon nginx-proxy

disable basic authentication for HTTP OPTIONS for CORS

Open rparree opened this issue 7 years ago • 3 comments

This is to make CORS to work together with basic authentication. OPTIONS should not be restricted as browsers don't send the auth bearer for pre-flight requests

rparree avatar Oct 17 '18 11:10 rparree

Is there any plan on accepting this fix? We are having the same issue to use CORS + basic nginx Auth, and it's quite cumbersome to re-build everything for one missing line! Thanks a lot! @buchdag

vemonet avatar Sep 13 '21 12:09 vemonet

I'm not sure this should be accepted.

When configuring http basic authentication, by default I would expect all requests to only be forwarded after authentication; that way no data can be accidentally leaked to unauthenticated clients.

IMO if any request is excluded from this, it should at least be documented in the README. Perhaps it should also be hidden behind a feature flag / environment variable.

tkw1536 avatar Sep 13 '21 16:09 tkw1536

Indeed @tkw1536 it would make sense to make this disabled by default and only enabled if explicitly requested

Still interested @rparree ? I'll take a look when I have some time otherwise

vemonet avatar Sep 13 '21 18:09 vemonet