Problem : the server needs authentification.
I can’t use HTTP_USERNAME and HTTP_PASSWORD, because I would need a common L/P for all people using this CMakeLists.txt. And also, this file would be versionned. It is clearly a security hole.
If I was using Git, I could rely on the Windows Credential Manager (yes, we work on Windows). Buf for Nexus (or other artefacts server…), how to you manage this need, which appears to me pretty basic ?
The HTTP_HEADER and passing credentials via $ENV{}/CACHE is how I would do it myself too, if I had to fetch bare archives from a server that requires authentication. By “bare archives” I mean that usually Nexus and the likes of it (JFrog Artifactory, Azure DevOps Artifacts, etc) are used as registries/repositories for package managers, which is what I would be using, but I guess “crude” downloads of “plain” archives works too.
And if your question was “can I let users somehow bypass server authentication”, then quite naturally the answer is no, and moreover that’s outside of CMake’s scope. As Jakub said, your server is either publicly available to everyone or those who are meant to be using it need to have their own accounts there.