view mod_http_authentication/README.md @ 6411:b00638d74f46

mod_unified_push: Allow additional CORS headers for unified push (fixes #1985) - Request header "TTL" is mandated by the HTTP Push specification RFC 8030: https://datatracker.ietf.org/doc/html/rfc8030#section-5 - Firefox sends "Content-Encoding" with a HTTP form submission, so it is required when using the Unified Push testing tool at https://unifiedpush.org/test_wp.html (with the full URL being delivered by the UP-Example Android app) Adding both headers makes the Unified Push testing tool work from the browser. Resolves: https://issues.prosody.im/1985
author Christian Weiske <cweiske@cweiske.de>
date Sat, 21 Feb 2026 19:13:08 +0100
parents fe081789f7b5
children
line wrap: on
line source

---
labels:
- 'Stage-Beta'
summary: Enforces HTTP Basic authentication across all HTTP endpoints served by Prosody
...

# mod_http_authentication

This module enforces HTTP Basic authentication across all HTTP endpoints served by Prosody.

## Configuration

  Name                               Default                           Description
  ---------------------------------- --------------------------------- --------------------------------------------------------------------------------------------------------------------------------------
  http\_credentials                  "minddistrict:secretpassword"     The credentials that HTTP clients must provide to access the HTTP interface. Should be a string with the syntax "username:password".
  unauthenticated\_http\_endpoints   { "/http-bind", "/http-bind/" }   A list of paths that should be excluded from authentication.

## Usage

This is a global module, so should be added to the global `modules_enabled` option in your config file. It applies to all HTTP virtual hosts.

## Compatibility

The module use a new API in Prosody 0.10 and will not work with older
versions.

## Details

By Kim Alvefur \<zash@zash.se\>