Tag Archives: http options

Allowing digest auth with CORS on Chrome and LIGHTTPD

LigHTTPD is a very popular web server to use nowadays and it powers a lot of devices. I’ve mainly seen it in rasberry pi’s and other smaller servers but it’s powerful nonetheless.

Today I did some fiddling around with CORS to get data passed through another domain than the site was residing on. It all seemed fairly easy as it’s just a simple header to add to your server response, as described on enable cors

Turned out it wasn’t that easy. The server with the APIs are armed with Digest authentication for authorization and chrome has made it a must to send HTTP OPTIONS to check some parameters from the server.

Chrome needs in order to authenticate:

  • Access-Control-Allow-Origin: *
  • Access-Control-Expose-Headers: WWW-Authenticate
  • Access-Control-Allow-Headers: Authorization
  • Access-Control-Allow-Methods: POST, GET, OPTIONS

That’s easy enough with LigHTTPDs extra environment header in the server configuration:

setenv.add-response-header = (
"Access-Control-Allow-Origin" => "*",
"Access-Control-Expose-Headers" => "WWW-Authenticate",
"Access-Control-Allow-Headers" => "Authorization",
"Access-Control-Allow-Methods" => "POST, GET, OPTIONS"


But, that isn’t enough. If you have set up a rule in your server configuration that you require to authenticate, Chrome will fail when it gets 401 on it’s OPTION request and will not continue. In order to get that worked around I had to do some modifications in mod_auth to make sure it doesn’t authenticate on HTTP OPTIONS. It was an easy hack to implement once you figured out the functions and where to look.

All the needed code was:

//Hack to make OPTIONS pass through AUTH filter with just sending the headers needed by CORS on Chrome
const char *htm = get_http_method_name(con->request.http_method);
if(strcmp(htm,"OPTIONS") == 0){
con->http_status = 200;
con->mode = DIRECT;

I’ve attached the modified .c file for some convenience. I used the latest (to date) official releaseĀ 1.4.39. Hope this helps anyone out there who needs to use digest over CORS with LigHTTPD.