RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}],what does it mean?

If you are not using HTTP Authentication with WordPress then you can remove it.

If you are using PHP as an Apache module then you can remove it. (Maybe WP detects this when it generates the .htaccess file?)

Aside: However, since this directive is inside the WordPress code block (ie. between the # BEGIN WordPress / # END WordPress comment markers) then if you do remove it then WordPress is only going to "try" and put it back again later. (You should avoid manual edits to the WP code block for this reason.)

Having this directive in .htaccess will not cause any problems.

When PHP is installed as CGI then Apache prevents the Authorization HTTP request header (used with HTTP Authentication) from being passed through to CGI scripts (ie. PHP in this instance). This is a "security feature", to prevent the user's credentials from being passed to all CGI scripts (which might not be trusted, if you don't control the server).

PHP normally sets the $_SERVER['HTTP_AUTHORIZATION'] superglobal (and associated array elements) from the HTTP Authorization header, but if it's been stripped by Apache then it can't.

The RewriteRule directive in .htaccess attempts to "fix" this by setting an HTTP_AUTHORIZATION environment variable to the value of the Authorization HTTP request header (this is before the request is passed to PHP). PHP then assigns the HTTP_AUTHORIZATION env var to the $_SERVER superglobal array. So, in theory, it's doing the same thing. However, depending on the server config, this doesn't necessarily work.

Alternatively, to explicitly allow the "passing of HTTP authorization headers to scripts as CGI variables" you can set CGIPassAuth On (Apache 2.4.13+) in .htaccess and this should allow PHP to see the Authorization header. However, depending on the server config, this might not work either.

Reference:

• https://httpd.apache.org/docs/2.4/mod/core.html#cgipassauth