The HTTP Authentication header is missing

The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.

If you are using Apache2, you may notice that the HTTP_AUTHORIZATION is missing from the list of variables sent to you. This is because Apache2 decides to not send clear passwords (even if base64 encoded) across processes.

In the old days (and the capability is still available), Apache would call processes with command line parameters as the data, instead of having environment variables.

Unfortunately, they decided to keep things that way when they switch to FastCGI. So you do not get the Authorization header passed down to your CGI scripts. Whether you use a Bash script, that header will always be missing from the list of parameters present in the environment.

The HTTP_AUTHORIZATION is probably the one header that comes up as missing over and over again.

A better way is to use a conditional environment variable:

    # ...
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    # ...

If you use nginx server try adding the following code to your nginx configuration.

fastcgi_pass_header Authorization;

Leave a Reply

Your email address will not be published. Required fields are marked *