The docs show how to configure access control using an environment variable with mod_setenvif. Using the technique described in the docs, I was able to password protect apache’s server-status page.
<Location /server-status> SetHandler server-status SetEnvIf Request_URI "mypassword" continue=1 Order deny,allow Deny from all Allow from env=continue </Location>
Now only you can access the page by going to: http://server.com/server-status/mypassword/
The downside to using the Request_URI attribute is that the password will be visible in your browser history.