If you use .htaccess files for your authentication or for that matter if you use apache for your user authentication (to password protect directories), you will be using the <Limit> directive. I always used the GET access restriction (<Limit GET>) but as I have found through the development of my firefox blogging tool, that this allows non-authenticated users to POST to a script in the password protected directory…. Not very clever really. What you have to do is use <Limit GET POST> and you will be prompted for both GET and POST requests. You can read more about the <Limit> directive in the apache docs. That's enough learning for me today….feet up.