[PR #457] [MERGED] Add http header auth #964

New issue

Closed

opened 2026-02-26 00:30:15 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 00:30:15 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/healthchecks/healthchecks/pull/457
Author: @Phyxius
Created: 12/3/2020
Status: ✅ Merged
Merged: 12/9/2020
Merged by: @cuu508

Base: master ← Head: add-http-header-auth

📝 Commits (7)

ae4e6c5 Add HTTP header authentiation backend/middleware
abfd434 Add docs for remote header auth
cec1e98 Improve docs on external auth
1fd87aa Add warning for unknown REMOTE_USER_HEADER_TYPE
10f6708 Move active check for header auth to middleware
3659c81 Add test cases for remote header login
1d58dc4 Improve header-based authentication

📊 Changes

5 files changed (+164 additions, -0 deletions)

View changed files

📝 README.md (+22 -0)
📝 hc/accounts/backends.py (+30 -0)
📝 hc/accounts/middleware.py (+50 -0)
➕ hc/accounts/tests/test_remote_user_header_login.py (+56 -0)
📝 hc/settings.py (+6 -0)

📄 Description

I wanted to self-host healthchecks and integrate it with my central authentication system (see #185), so rather than develop something specific to my needs, I added support for HTTP header-based authentication. This way, people can integrate whatever auth system they want (LDAP, mTLS, SAML, OAuth, whatever) at the reverse proxy level and remove the need for healthchecks to care about the implementation details.

I added two new settings (with corresponding environment variables):

REMOTE_USER_HEADER — set this to the header you wish to authenticate with. HTTP headers will be prefixed with HTTP_ and have any dashes converted to underscores. Headers without that prefix can be set by the WSGI server itself only, which is more secure.
REMOTE_USER_HEADER_TYPE — If set to EMAIL, the specified header will be treated as the user's email. If set to ID, the specified header will be set to the user's UUID. Any other value (including empty, the default) disables header-based authentication.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/healthchecks/healthchecks/pull/457 **Author:** [@Phyxius](https://github.com/Phyxius) **Created:** 12/3/2020 **Status:** ✅ Merged **Merged:** 12/9/2020 **Merged by:** [@cuu508](https://github.com/cuu508) **Base:** `master` ← **Head:** `add-http-header-auth` --- ### 📝 Commits (7) - [`ae4e6c5`](https://github.com/healthchecks/healthchecks/commit/ae4e6c539dfba2391191db892192c6f1b1936283) Add HTTP header authentiation backend/middleware - [`abfd434`](https://github.com/healthchecks/healthchecks/commit/abfd43418b190319692f27404af407e3f105954d) Add docs for remote header auth - [`cec1e98`](https://github.com/healthchecks/healthchecks/commit/cec1e986e6b836dd406c6edbd308fa595712c0ee) Improve docs on external auth - [`1fd87aa`](https://github.com/healthchecks/healthchecks/commit/1fd87aae35ea42352a7647ca6324aee48584a29a) Add warning for unknown REMOTE_USER_HEADER_TYPE - [`10f6708`](https://github.com/healthchecks/healthchecks/commit/10f6708a711f66a60aca82865c3d4a6708aa32db) Move active check for header auth to middleware - [`3659c81`](https://github.com/healthchecks/healthchecks/commit/3659c81f991c31b2d161e97885d9497974df9307) Add test cases for remote header login - [`1d58dc4`](https://github.com/healthchecks/healthchecks/commit/1d58dc426cd4650634309465803b71bc3e8ac8f3) Improve header-based authentication ### 📊 Changes **5 files changed** (+164 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+22 -0) 📝 `hc/accounts/backends.py` (+30 -0) 📝 `hc/accounts/middleware.py` (+50 -0) ➕ `hc/accounts/tests/test_remote_user_header_login.py` (+56 -0) 📝 `hc/settings.py` (+6 -0) </details> ### 📄 Description I wanted to self-host healthchecks and integrate it with my central authentication system (see #185), so rather than develop something specific to my needs, I added support for HTTP header-based authentication. This way, people can integrate whatever auth system they want (LDAP, mTLS, SAML, OAuth, whatever) at the reverse proxy level and remove the need for healthchecks to care about the implementation details. I added two new settings (with corresponding environment variables): 1. `REMOTE_USER_HEADER` — set this to the header you wish to authenticate with. HTTP headers will be prefixed with `HTTP_` and have any dashes converted to underscores. Headers without that prefix can be set by the WSGI server itself only, which is more secure. 2. `REMOTE_USER_HEADER_TYPE` — If set to `EMAIL`, the specified header will be treated as the user's email. If set to `ID`, the specified header will be set to the user's UUID. Any other value (including empty, the default) disables header-based authentication. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>