HTTP WWW-Authenticate header is a response-type header. It serves as a support for various authentication mechanisms which are important to control access to pages and other resources as well. All of these mechanisms are based on the use of the 401 status code. The HTTP WWW-Authenticate response header defines the authentication method that ought to be wont to gain access to a resource. As discussed earlier, the WWW-Authenticate header is sent along with a 401 Unauthorized response.
The working includes a client being responded by a server with a 401 Unauthorized response status which provides information on authorizing with a WWW-Authenticate response header containing a minimum of one challenge. A client that wants to authenticate itself with a server can do so by including an Authorization request-header field with the credentials. Usually, it is done by presenting a password prompt to the user and then issuing the request including the correct Authorization header.
Diagrammatic representation of basic authentication is as follows:
Here, is the authentication scheme (“Basic” is the most common scheme and introduced below). The realm is employed to explain the protected area or to point the scope of protection. This could be a message like “Access to the staging site” or similar in order that the user knows to which space they’re trying to urge access to.
Note: Note: In the case of a “Basic” authentication like shown in the figure, the exchange must happen over an HTTPS (TLS) connection to be secure.
It is needed to be specified which authentication scheme is used so that the client that wishes to authorize knows how to provide the credentials.
WWW-Authenticate: <type> realm=<realm> realm=<realm>
Directives: This header accepts three directives as mentioned above and described below:
- <type>: This directive holds the authentication type. A common type is “Basic”. IANA maintains a list of authentication schemes.
- realm=<realm>: This directive describe of the protected area. By default, the formatted hostname is used.
- charset=<charset>: Tells the client the server’s preferred encoding scheme when submitting a username and password. The only allowed value is the case the insensitive string “UTF-8”. This doesn’t relate to the encoding of the realm string.
WWW-Authenticate: Basic realm="Access to the staging site", charset="UTF-8"
Supported Browsers: The browsers supported by HTTP headers WWW-Authenticate are listed below:
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Internet Explorer