From be0fddf796bef5f22f6222239a4d0c210ddc2822 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 20:35:18 +0100
Subject: [PATCH] fix: remove HeaderAuthorization from forward-auth endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Only use CookieSession strategy for forward-auth endpoint to ensure
browsers receive proper 302 redirects to the login page instead of
HTTP Basic auth prompts.

When HeaderAuthorization is in the strategies list, it sends
www-authenticate headers that trigger browser Basic auth dialogs.
For browser-based authentication, we only want CookieSession which
handles redirects properly.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 net/authelia/configuration.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml
index 352f40f..b0bb21e 100644
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -15,7 +15,6 @@ server:
         implementation: 'ForwardAuth'
         authn_strategies:
           - name: 'CookieSession'
-          - name: 'HeaderAuthorization'
 
 log:
   level: info