Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Proper WWW-Authenticate Implementation

Ingrid

⇤ Web Application Header Assessment

Optional for both HTTP/1.0 and HTTP/1.1

The WWW-Authenticate header indicates the authentication scheme. See finding messages.

Responses

Response Description Header
401

If the header isn't used, there will be no record to assess.

We grade any request for credentials that uses the WWW-Authenticate header as “BAD.”
  • HTTP 1.0 (non-HTTPS)
  • HTTP 1.1 (non-HTTPS)

Resources

RFC-7235 (Section 4.1)

  • September 12, 2023: Separated finding messages.
  • November 21, 2019: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.