Additional comments:
Basic authentication is the easiest to implement security to your application and it can be implemented without additional libraries. Everything needed to implement basic authentication is what you have done. The problem with basic authentication is that it is (well “basic”) and it offers the lowest security options of the common protocols.
As far as I know there are no advanced options for using basic authentication, so you are just sending a username and password as base64 encoded.
Basic authentication should never be used without SSL encryption because the username and password combination can be easily decoded otherwise.
The UseSession = 1 as you mentioned will break the stateless caracteristics of restfull services and you will also consume a CSP license until the session ends.
You could take a look at other autorization frameworks as OAuth2.0, SAML (supported by Caché and Ensemble) or create your own custom protocols for access token control by using the ZAUTHENTICATE routine and Caché/Ensemble delegated access.
There are 2 nice posts from Daniel Kutac that may help you with additional options:
https://community.intersystems.com/post/cach%C3%A9-open-authorization-fr...
https://community.intersystems.com/post/cach%C3%A9-open-authorization-fr...
OPTIONS request should be available to unauthorized users.
I think the problem is that the browser turns the GET request into OPTIONS request and the question is how do I deal with this in the service end. There seems to be a OnHandleOptionsRequest() method in %CSP.REST but I don't get how to use it?
As Fabio said
To enable CORS support.