I been working with a customer with an issue that I realized that is a problem related of litespeed since when I tried with apache works perfectly fine (even on the same server). My customer is trying to allow GET and password protect all the other calls. So, what he did was password protect the folder and add on the .htaccess of that folder this lines <LimitExcept GET> Require valid-user </LimitExcept> That should prevent to be prompted for username/password when you only browse the page, however, no matter what, I keep getting prompted for username/password. Changing <LimitExcept GET> to <LimitExcept GET POST> suddenly stops requiring authentication (for both operations). Changing it to <LimitExcept GET OPTIONS> (or HEAD or any other method in place of OPTIONS), or <LimitExcept POST> goes back to requiring auth for both GET and POST. Similar results occur with <Limit> directives (putting either GET or POST results in auth required for everything; putting any other method(s) results in no auth required for anything). I already emailed to support but taking in consideration that my 3 last emails were ignored I guess that this is a good way to report it.