Update docs/api-guide/authentication.md

Added mod_wsgi specific instructions

1 files changed, 11 insertions, 0 deletions

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index afd9a261..e91f6c2e 100644
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -60,6 +60,17 @@ Or, if you're using the `@api_view` decorator with function based views.
         }
         return Response(content)
 
+## Apache mod_wsgi Specific Configuration
+
+Unlike other HTTP headers, the authorisation header is not passed through to a WSGI application by default. This is the case as doing so could leak information about passwords through to a WSGI application which should not be able to see them when Apache is performing authentication...
+
+If it is desired that the WSGI application be responsible for handling user authentication, then it is necessary to explicitly configure mod_wsgi to pass the required headers through to the application. This can be done by specifying the WSGIPassAuthorization directive in the appropriate context and setting it to 'On'.
+
+    # this can go in either server config, virtual host, directory or .htaccess 
+    WSGIPassAuthorization On
+
+[cite]: http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization
+
 # API Reference
 
 ## BasicAuthentication