Inside the vhost config for the site, include the following:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
That way, the
Authorization header will be passed through regardless of Apache’s usual filtering. Keep in mind that with this rule in place, you have to check for
HTTP_AUTHORIZATION being empty too.