We have a couple of sites that are still on CS and we have ran in to an issue with failed scans for our PCI Compliance on them. The part that is strange is all we did was move from a faster VPS and downgraded to a smaller VPS, but we are with the same host. Anyway, the following code has been on the site for some time now but now they say it is causing us to fail our PCI scan.
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule api/(.*)$ api.php?_d=$1&ajax_custom=1 [L,QSA]
RewriteCond %{REQUEST_URI} \.(png|gif|ico|swf|jpe?g|js|css|ttf|svg|eot|woff|yml|xml)$ [or]
RewriteCond %{REQUEST_URI} store_closed.html$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*?)\/(.*)$ $2 [L]
Here is what they are saying, “the “Basic Authentication over HTTP” failure is resulting due to an API call in your htaccess file. This means any file access with api reference will be moved over to a ajax function.”
The part that confuses me is why didn't we have problems with this code on their previous VPS package? So I am just wondering if anyone knows what the code does and if I it is find to take it out as they suggest. The only reason I am so hesitant is because I have no idea what it does and in my mind it has been there for a while so I don't understand why it would be an issue now.