I have the same problem: CF requires Basic Auth the first time and then doesn’t require it anymore if you point directly to static files (js or css). This behavior is particularly worrying because it opens external files that should only be served under basic auth.
Can you confirm that CF caches the basic auth and therefore if others called those files they would not see it without the credentials?
The public response directive indicates that the response can be stored in a shared cache. Responses for requests with Authorization header fields must not be stored in a shared cache; however, the public directive will cause such responses to be stored in a shared cache.
yes, I’m not from the Cloudflare team, but they are acting correctly by caching files with “cache-control: public”, you should change the cache-control header, for example with a .htaccess file, if you don’t want the files to be cached by CF or other intermediaries
Now it’s clear to me but I have one last unclear point: the ‘static’ js/css/etc files are cached and visible only to me (with my ip/user agent) or they will be visible to anyone (even without entering basic auth)?