Today I Learned

hashrocket A Hashrocket project

Understanding the 'WWW-Authenticate' Header

If you've ever made an HTTP request and got a 401 response status, the response headers most likely included 1 or more entries for WWW-Authenticate. This flow is called "challenge and response" and it's part of the framework for doing HTTP Authentication.

This header is used to tell the client how it can authenticate in order to gain access to the requested resource.

For example, a response might include the following headers:

WWW-Authenticate: Basic
WWW-Authenticate: NTLM

Which means that the requested resource supports both Basic and NTLM authentication schemes.

It's also possible for these headers to come back with other metadata about their authentication schemes like token68 and realm.

Next time you get a 401, check out the response headers to see what Auth schemes are supported!

See More #devops TILs