Sebastian Krüger
be0fddf796
Only use CookieSession strategy for forward-auth endpoint to ensure browsers receive proper 302 redirects to the login page instead of HTTP Basic auth prompts. When HeaderAuthorization is in the strategies list, it sends www-authenticate headers that trigger browser Basic auth dialogs. For browser-based authentication, we only want CookieSession which handles redirects properly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>