CF shows resources even if they are under basic auth

Hi everyone,
I saw this post by Francesco:

I have the same problem: CF requires Basic Auth the first time and then doesn’t require it anymore if you point directly to static files (js or css). This behavior is particularly worrying because it opens external files that should only be served under basic auth.

Can you confirm that CF caches the basic auth and therefore if others called those files they would not see it without the credentials?

I’ve done dozens of tests with Chrome incognito.

Thank you

It’s not caching the auth, but it’s caching the assets (css and js). You can create a Page Rule for whatever URLs are behind Basic Auth, and have it set Cache Level to Bypass.

Hello and thanks for the reply.

I would like to be super clear to avoid not having explained well.

I have two subdomains:

  • www
  • stage

the subdomain is ALL under basic auth.

These are the steps I do:

  • I open chrome incognito and access (directly to the js file)
  • chrome asks me for basic auth and I enter username/password
  • chrome shows me correctly the file
  • NOW I close chrome
  • I open a new chrome incognito window (no other chrome incognito windows are open)
  • I access directly and chrome shows me the file WITHOUT having entered the basic auth

The behavior of the last point leaves me doubts about the security issue. Any suggestions?

Thank you

I can only refer you to my previous answer. It’s caching the file. Bypass the cache for that subdomain, like I said.

1 Like

Please check the response headers returned by your server with /file.js, in particular the cache-control header. if it contains public, it’s working according to the specifications:

From Cache-Control - HTTP | MDN


The public response directive indicates that the response can be stored in a shared cache. Responses for requests with Authorization header fields must not be stored in a shared cache; however, the public directive will cause such responses to be stored in a shared cache.

Cache-Control: public

Hi Francesco,
the responses for file.js are:

Status Code: 304
cache-control: public, max-age=14400

Instead the responses for other php files are:

Status Code: 200
cache-control: no-store, no-cache, must-revalidate

So, if I understand correctly, I should say (with some directive) to set no-store, no-cache, must-revalidate all the subdomain stage. Did I understand correctly?

Thank you

yes, I’m not from the Cloudflare team, but they are acting correctly by caching files with “cache-control: public”, you should change the cache-control header, for example with a .htaccess file, if you don’t want the files to be cached by CF or other intermediaries

thanks Francesco.

Now it’s clear to me but I have one last unclear point: the ‘static’ js/css/etc files are cached and visible only to me (with my ip/user agent) or they will be visible to anyone (even without entering basic auth)?

Thanks again

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.