CORS - how to ignore authentication for OPTIONS preflight request in Apache's httpd.conf?
I had the same issue which I solved today with the help of this question. Basically your option c.
My conf structure is:
conf/httpd.conf <- normal stuff conf.d/ssl.conf <- set up ssl stuff conf.d/api.conf <- set specific stuff to api like Auth /var/www/.htaccess <- set specific stuff to api again
This allows for limiting everything except for OPTIONS
/conf.d/api.conf
file:
<Directory "/var/www/api"> AllowOverride All Options FollowSymLinks <LimitExcept OPTIONS> Auth stuff here Mainly your Require statements </LimitExcept></Directory>
Then in my .htaccess
file I set the headers.
The Apache manual in the require directive states "Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit>
[or <LimitExcept>
] section."
I had to make sure my application could handle OPTIONS as this setup is not doing an automatic return. Here or here one can see how to redirect which may work instead of having something in the application handle it.