We have both Live and Test websites hosted behind Sophos UTM.Firewall.
Sometimes a developer wants to run a test website locally on their machine but make ajax requests to the remote Test website which is on the server.
This works fine if we have CORS setup correctly on the server website.
However, we want to protect our test websites from outside users eg search engines, general public but still allow remote developers, testers and clients to access them. The simplest way we found to do that with Sophos is to setup Reverse Authentication on each one. I've tried with both Basic and Forms versions but they don't work because the pre-flight call (ie OPTIONS method) is also protected by the Reverse Authentication. Usually this isn't part of authentication because CORS states that the OPTIONS call can't send cookies or authorization headers.
So, is there a way to get this working with Reverse Authentication to protect test sites but still make calls cross site?
Or is there a better way for us to protect all our test sites. Bear in mind that we don't always know the IP address of users so a username/pass approach is best.
This thread was automatically locked due to age.