CORS - how to ignore authentication for OPTIONS preflight request in Apache's httpd.conf?

I had the same issue which I solved today with the help of this question. Basically your option c.

My conf structure is:

conf/httpd.conf <- normal stuff   conf.d/ssl.conf <- set up ssl stuff  conf.d/api.conf <- set specific stuff to api like Auth  /var/www/.htaccess <- set specific stuff to api again

This allows for limiting everything except for OPTIONS

/conf.d/api.conf file:

<Directory "/var/www/api">  AllowOverride All  Options FollowSymLinks  <LimitExcept OPTIONS>    Auth stuff here    Mainly your Require statements  </LimitExcept></Directory>

Then in my .htaccess file I set the headers.

The Apache manual in the require directive states "Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> [or <LimitExcept>] section."

I had to make sure my application could handle OPTIONS as this setup is not doing an automatic return. Here or here one can see how to redirect which may work instead of having something in the application handle it.

CodeHunter

CORS - how to ignore authentication for OPTIONS preflight request in Apache's httpd.conf?

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last