WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource.
WWW-Authenticate header is sent along with a
401 (Unauthorized) response.
|Header type||Response header|
|Forbidden header name||no|
WWW-Authenticate: <type> realm=<realm>
- Authentication type. A common type is "Basic". IANA maintains a list of Authentication schemes.
- A description of the protected area. If no realm is specified, clients often display a formatted hostname instead.
Typically, a server response contains a
WWW-Authenticate header that looks like these:
WWW-Authenticate: Basic WWW-Authenticate: Basic realm="Access to the staging site"
Apache .htaccess basic authentication
To password protect one or more directories on an Apache server, you will need a
.htaccess and a
.htaccess file typically looks like this:
AuthType Basic AuthName "Access to the staging site" AuthUserFile /path/to/.htpasswd Require valid-user
.htaccess file references a
.htpasswd file in which each line contains of a username and a password separated by a colon (":"). You can not see the actual passwords as they are encrypted (md5 in this case). Note that you can name your
.htpasswd file differently if you like, but keep in mind that this file shouldn't be accessible to anyone (Apache is usually configured to prevent access to
|RFC 7235, section 4.1: WWW-Authenticate||HTTP/1.1: Authentication|
|RFC 7617||The 'Basic' HTTP Authentication Scheme|