Netlify function basic auth cors


I have a netlify function setup with basic auth and cors headers. I am trying to have another webpage call this function. When running locally on different ports, it works. When deployed, get auth and cors errors. In my netlify.toml, setup basic auth, and in both the toml and functions have headers Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods. Any help would be appreciated, thanks!

You cannot use our normal custom headers directly on functions, Jordan. Your headers will NOT apply to anything in the path /.netlify/* which are handled via a different system.

On the other hand, you should be able to send HTTP headers as output from the function itself. Not clear which way you’re doing it, so more information would be useful to help you out.

1 Like

Hi I’ve got a similar issue where I am applying Basic-Auth on my non-production environments. I’m deploying a lambda function on staging which I want to be accessible without Basic-Auth, however I get a 401 response unless I pass the Basic-Auth header. In my case my header rules seem to be applied to the /.netlify/* path

Hmm, that’s not quite a normal header. I think you’d be best served by specifying all the paths that DO need coverage (e.g. /assets, /posts) and not /* for that redirect, OR deploying the function on a separate, non-protected site.

I felt like my approach was wrong. I’ve managed to achieve what I wanted to by running 2 Netlify sites off of the same repository. One solely used for production with no CMS and the other password protected for staging, CMS and deployment previews.