I have an Apache server which uses SSL and requires client certificates for all incoming requests - all other requests are terminated immediately. This is fine in most cases but I would like to allow a CORS preflight to be sent to the server without client cert. The response to the preflight should be static.
Any ideas on how I can configure this in the Apache config?
I answered something that may be related here.
Basically put your auth or ssl stuff between <LimitExcept OPTIONS> and </LimitExcept>