I have the same problem: CF requires Basic Auth the first time and then doesn’t require it anymore if you point directly to static files (js or css). This behavior is particularly worrying because it opens external files that should only be served under basic auth.
Can you confirm that CF caches the basic auth and therefore if others called those files they would not see it without the credentials?
It’s not caching the auth, but it’s caching the assets (css and js). You can create a Page Rule for whatever URLs are behind Basic Auth, and have it set Cache Level to Bypass.
Please check the response headers returned by your server with /file.js, in particular the cache-control header. if it contains public, it’s working according to the specifications:
The public response directive indicates that the response can be stored in a shared cache. Responses for requests with Authorization header fields must not be stored in a shared cache; however, the public directive will cause such responses to be stored in a shared cache.
Status Code: 304 cache-control: public, max-age=14400
Instead the responses for other php files are:
Status Code: 200 cache-control: no-store, no-cache, must-revalidate
So, if I understand correctly, I should say (with some directive) to set no-store, no-cache, must-revalidate all the subdomain stage. Did I understand correctly?
yes, I’m not from the Cloudflare team, but they are acting correctly by caching files with “cache-control: public”, you should change the cache-control header, for example with a .htaccess file, if you don’t want the files to be cached by CF or other intermediaries
Now it’s clear to me but I have one last unclear point: the ‘static’ js/css/etc files are cached and visible only to me (with my ip/user agent) or they will be visible to anyone (even without entering basic auth)?
