Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Proper WWW-Authenticate Implementation

Ingrid

This documentation pertains to the Web Application Headers (WAH) risk vector, which was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.

⇤ Web Application Header Assessment

Optional for both HTTP/1.0 and HTTP/1.1

The WWW-Authenticate header indicates the authentication scheme. See finding messages.

Responses

Response Description Header
401

If the header isn't used, there will be no record to assess.

We grade any request for credentials that uses the WWW-Authenticate header as “BAD.”
  • HTTP 1.0 (non-HTTPS)
  • HTTP 1.1 (non-HTTPS)

Resources

RFC-7235 (Section 4.1)

  • December 9, 2025: WAH was replaced by WAS.
  • September 12, 2023: Separated finding messages.
  • November 21, 2019: Published.
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.