The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource.

The WWW-Authenticate header is sent along with a 401 (Unauthorized) response.

Header type Response header
Forbidden header name no


WWW-Authenticate: <type> realm=<realm>


Authentication type. A common type is "Basic". IANA maintains a list of Authentication schemes.
A description of the protected area. If no realm is specified, clients often display a formatted hostname instead.


Typically, a server response contains a WWW-Authenticate header that looks like these:

WWW-Authenticate: Basic

WWW-Authenticate: Basic realm="Access to the staging site"

Apache .htaccess basic authentication

To password protect one or more directories on an Apache server, you will need a .htaccess and a .htpasswd file.

The .htaccess file typically looks like this:

AuthType Basic
AuthName "Access to the staging site"
AuthUserFile /path/to/.htpasswd
Require valid-user

The .htaccess file references a .htpasswd file in which each line contains of a username and a password separated by a colon (":"). You can not see the actual passwords as they are encrypted (md5 in this case). Note that you can name your .htpasswd file differently if you like, but keep in mind that this file shouldn't be accessible to anyone (Apache is usually configured to prevent access to .ht* files).



Specification Title
RFC 7235, section 4.1: WWW-Authenticate HTTP/1.1: Authentication
RFC 7617 The 'Basic' HTTP Authentication Scheme

See also

Document Tags and Contributors

 Contributors to this page: fscholz
 Last updated by: fscholz,