While testing this I found that mod_cgi also seems to strip the Authorization header. I found this ugly fix: RewriteCond %{HTTP:Authorization} ^(.+) RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]