There is also a possibility of filtering authentication field when HTTP request passes through reverse proxy.
I think that Apache doesn't suport this, but using rewrite rule it is possible to return unauthorized or forbidden if request contains authentication header. This shouldn't be a problem (if this level of security is really required) since browsers shouldn't send this header anyway if they haven't received unauthorized response and user has entered username/password.
Uhm, but at that moment it's too late, because the username and the password have already traveled the wire in clear test, isn't it?
cheers, oliver
True, however a combination with the previous method can lead to a rather secure setup. Apache can be configured to have two virtual hosts: www.site.com and https://manage.site.com. Public one disables access to /manage and /manage_main methods and filters/blocks authentication headers. So: a) Ordinary management users will never send password in clear text since access to /manage and /manage_main is blocked so they are not going to be asked to do so. (they are not going to use POST method or something similar that we expect of the "evil" user). b) Even if "evil" user manages to obtain the username/password he wouldn't be able to do anything through the public site. And manage site can implement its own restrictions (on source IP or certificate) in the apache config. Vladimir