diff --git a/server-ctl.go b/server-ctl.go
index b32957c..5ec2798 100644
--- a/server-ctl.go
+++ b/server-ctl.go
@@ -46,6 +46,7 @@ type json_out_server_stats struct {
 type server_ctl struct {
 	s *Server
 	id string
+	noauth bool // override the auth configuration if true
 }
 
 type server_ctl_token struct {
@@ -83,7 +84,7 @@ func (ctl *server_ctl) Cors(req *http.Request) bool {
 }
 
 func (ctl *server_ctl) Authenticate(req *http.Request) (int, string) {
-	if ctl.s.cfg.CtlAuth == nil { return http.StatusOK, "" }
+	if ctl.noauth || ctl.s.cfg.CtlAuth == nil { return http.StatusOK, "" }
 	return ctl.s.cfg.CtlAuth.Authenticate(req)
 }
 
diff --git a/server.go b/server.go
index 4903b89..00d6615 100644
--- a/server.go
+++ b/server.go
@@ -1104,7 +1104,7 @@ func NewServer(ctx context.Context, name string, logger Logger, cfg *ServerConfi
 	s.pxy_mux.Handle("/_ssh-ws/{conn_id}/{route_id}",
 		websocket.Handler(func(ws *websocket.Conn) { s.pxy_ws.ServeWebsocket(ws) }))
 	s.pxy_mux.Handle("/_ssh/server-conns/{conn_id}/routes/{route_id}",
-		s.wrap_http_handler(&server_ctl_server_conns_id_routes_id{server_ctl{s: &s, id: HS_ID_PXY}}))
+		s.wrap_http_handler(&server_ctl_server_conns_id_routes_id{server_ctl{s: &s, id: HS_ID_PXY, noauth: true}}))
 	s.pxy_mux.Handle("/_ssh/{conn_id}/",
 		s.wrap_http_handler(&server_proxy_xterm_file{server_proxy: server_proxy{s: &s, id: HS_ID_PXY}, file: "_redirect"}))
 	s.pxy_mux.Handle("/_ssh/{conn_id}/{route_id}/",
@@ -1119,6 +1119,8 @@ func NewServer(ctx context.Context, name string, logger Logger, cfg *ServerConfi
 		s.wrap_http_handler(&server_proxy_xterm_file{server_proxy: server_proxy{s: &s, id: HS_ID_PXY}, file: "_forbidden"}))
 	s.pxy_mux.Handle("/favicon.ico",
 		s.wrap_http_handler(&server_proxy_xterm_file{server_proxy: server_proxy{s: &s, id: HS_ID_PXY}, file: "_forbidden"}))
+	s.pxy_mux.Handle("/favicon.ico/",
+		s.wrap_http_handler(&server_proxy_xterm_file{server_proxy: server_proxy{s: &s, id: HS_ID_PXY}, file: "_forbidden"}))
 
 	s.pxy_mux.Handle("/_http/{conn_id}/{route_id}/{trailer...}",
 		s.wrap_http_handler(&server_proxy_http_main{server_proxy: server_proxy{s: &s, id: HS_ID_PXY}, prefix: "/_http"}))
@@ -1145,7 +1147,7 @@ func NewServer(ctx context.Context, name string, logger Logger, cfg *ServerConfi
 		websocket.Handler(func(ws *websocket.Conn) { s.wpx_ws.ServeWebsocket(ws) }))
 
 	s.wpx_mux.Handle("/_ssh/server-conns/{conn_id}/routes/{route_id}",
-		s.wrap_http_handler(&server_ctl_server_conns_id_routes_id{server_ctl{s: &s, id: HS_ID_WPX}}))
+		s.wrap_http_handler(&server_ctl_server_conns_id_routes_id{server_ctl{s: &s, id: HS_ID_WPX, noauth: true}}))
 	s.wpx_mux.Handle("/_ssh/xterm.js",
 		s.wrap_http_handler(&server_proxy_xterm_file{server_proxy: server_proxy{s: &s, id: HS_ID_WPX}, file: "xterm.js"}))
 	s.wpx_mux.Handle("/_ssh/xterm-addon-fit.js",