diff --git a/.htaccess b/.htaccess
index 02c56f86ce485033f8a6b20ab52293080a0139bf..7ccb6a2f629d04aad6cead1c22bf81156bb0a04a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -63,6 +63,10 @@ DirectoryIndex index.php index.html index.htm
   RewriteCond %{HTTPS} on
   RewriteRule ^ - [E=protossl:s]
 
+  # Make sure Authorization HTTP header is available to PHP
+  # even when running as CGI or FastCGI.
+  RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
   # Block access to "hidden" directories whose names begin with a period. This
   # includes directories used by version control systems such as Subversion or
   # Git to store control files. Files whose names begin with a period, as well
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index e9fc5026111030ca26738d12eb0abb23b8544821..f9f429da983e774deb381f4ea845a97687915e05 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,8 @@
 
 Drupal 7.23, xxxx-xx-xx (development version)
 -----------------------
+- Changed the default .htaccess file to support HTTP authorization in CGI
+  environments.
 - Changed the password reset form to pre-fill the username when requested via a
   URL query parameter, and used this in the error message that appears after a
   failed login attempt (minor data structure and behavior change).