HTTP Authentication

HTTP includes several authentication methods that are used to restrict and grant access to servers or specific resources. When a client wants access to a resource that requires HTTP Authentication, the credentials must be supplied, otherwise, an HTTP status code error such as 401 Unauthorized will be returned.


Resources can be protected against unauthorized use by requiring the client to first authenticate before being granted access. When a client attempts to access a resource without first authenticating, the server may return a 401 Unauthorized HTTP status code. Included as part of the HTTP response will be the HTTP WWW-Authenticate response header, which will inform the client what authorization methods it supports.

Common authentication schemes

The specifications for common authentication schemes can be found at the following links:

  • Basic; This type of authentication is the transmission of credentials and ID/Password pairs.

  • Bearer; This authentication, also known as token authentication, relies on security tokens that are generated by the server and returned to the client following a successful login. The client is responsible for sending these tokens in any subsequent attempt to access secure resources.

  • Digest; HTTP Digest access authentication is a challenge-response protocol that can be used to authenticate resource requests.

  • HOBA; HTTP Origin-Bound Authentication is a scheme that does not require the server to maintain a list of stored passwords, and thus is not vulnerable to phishing attacks.

  • Mutual; Mutual authentication, also known as two-way authentication, is similar to the Basic and Digest authentication schemes, with the difference that the server is guaranteed to know the client’s encrypted password. Essentially, the client and server authenticate each other before the interaction continues.

  • AWS4-HMAC-SHA256; This is an authentication algorithm designed to provide authentication information to Amazon Web Services (AWS).

More than one authentication method can be specified by the server, either on multiple lines or a single, comma-delimited line. When the client has the credentials required, they are sent to the server using the HTTP Authorization request header. The authentication methods offered by the server may be resource-specific, where resources that demand higher security will only be accessible using more secure authentication protocols.

Consider, for example, that the server and client agree to use the Basic authentication scheme. The ID/Password pair is sent unencrypted and thus has to rely on the data being transmitted over a secure HTTP Connection, such as HTTPS. Absent this layer of security, an intermediary can record the ID/Password pair and later use it to gain access to the restricted resource.

Invalid credentials and insufficient privileges

When the client does not authenticate or does not supply valid credentials, the server may respond with the 401 Unauthorized HTTP status code, or the 407 Proxy Authentication Required HTTP status code if access is being made through a proxy that requires authentication.

In the case where a client’s credentials have been verified but the account does not have sufficient permissions to interact with the resource, the server will respond with the 403 Forbidden HTTP status code. This implies that access is simply not available for the client.

It is relevant to consider that some servers will instead return a 404 Not Found HTTP status code. This can be used to deny the existence of the specified resource.

Credentials as part of URL

Servers often also allow for login credentials can be transmitted as part of the URL, as user information in the authority part.

However due to security concerns usage of this method is strongly discouraged.


In this example, the client requests a resource and the server responds with the 401 Unauthorized response to indicate that the resource is protected. As part of the response, the server indicates that it supports both Basic authorization and Mutual authorization. It also informs the client as to what part of the system is being accessed, which is “Production”.

The client responds by stating that it is providing a username:password pair using the Basic authentication protocol, which is specified in the Authorization header. Finally, the server responds by transmitting the requested resource.

Initial request

GET /news.html HTTP/1.1


HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic; realm=”Production”
WWW-Authenticate: Mutual

Second request – includes authentication

GET /news.html HTTP/1.1
Authorization: Basic RXhhbXBsZTphaQ==


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2500

<HTML document included in message body>


HTTP Authentication is used to restrict access to specific servers or resources. Clients can authenticate with a server using several different methods to gain access.

Last updated: June 2, 2022