Since WordPress 5.6 we’ve been getting reports that users get a warning message in the Site Health like this: “The Authorization Header is Missing”.
The problem appears to be that Apache does not automatically send authorization headers. If that happens, the header has to be enabled in the virtual host file. I can’t say for sure that is has anything to do with the WordPress 5.6 update, we only noted that users are reporting it since then.
Please note: this has nothing to do with the Really Simple Security security headers: it’s a server configuration issue. I’ve come across to solutions for this.
One user reported that enabling FastCGI fixed it.
All I had to do was run PHP 7.1.4 FastCGI to fix it.
Previously I was running the non-FastCGI version.
Reference: https://wordpress.org/support/topic/the-authorization-header-is-missing/#post-14418938
Another solution I came across (and that I would personally prefer) is to adjust the Apache virtual host config file:
# Get rid of the Site Health message on missing authorization header
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
If you don't know how to adjust your virtual host file, please contact your hosting company about this.