Created: 2011-07-12 16:27
Updated: 2017-08-29 05:30


An apache module designed to remove the Authorization header from incoming requests.


Many companies keep their administrative web-apps behind an apache reverse proxy which performs some sort of authentication (such as LDAP). Unfortunately, this typically results in every user's password being passed directly to each and every back-end web-app. A compromised administrative web-app could potentially harvest these passwords for malicious means.

When this module is installed, the Authorization header (containing a user's password) is processed just after the apache authentication layer. The password is replaced with garbage, so it cannot be seen by any back-end apps, but the username is left intact (so the app can know what user is currently logged in).


This module does nothing to improve your network security. As LDAP credentials for apache are typically transmitted in plain-text, your authentication proxy should ALWAYS operate over HTTPS exclusively.

Easy Installation

  • Download from the github downloads, and place in your httpd/modules folder.

Compilation from Source

  • Pull mod_removepass.c from the source repo

  • From the root of your httpd install, run

      bin/apxs -i -c mod_removepass.c
  • should be installed into your httpd/modules folder


In httpd.conf:

  • Enable the module with

      LoadModule removepass_module modules/
  • For any applications which specifically require access to the authentication password, the module can be disabled in the configuration of a specific vhost or path:

      <IfModule mod_removepass.c>
        DoNotStripPassword 1

Known Issues

  • There have been some reports of auto-generated Apache directory indexes returning empty when the password is being stripped. If this is an issue, set DoNotStripPassword on the path, and the indexes should re-appear.
Cookies help us deliver our services. By using our services, you agree to our use of cookies Learn more