Proxy-Authentication-Info

The HTTP Proxy-Authentication-Info response header returns Authentication parameters after a proxy accepts client credentials sent via the Proxy-Authorization header.

Usage

The Proxy-Authentication-Info header serves the same purpose as Authentication-Info, but applies to proxy authentication rather than origin server authentication. When a client successfully authenticates to a proxy, the proxy uses this header to send additional authentication data back to the client.

The header supports nonce rotation, mutual authentication, and other features defined by the authentication scheme in use. Each proxy in a chain handles its own authentication separately, so this header applies only to the next client on the response chain. Only the client choosing the proxy has the credentials needed for authentication with the specific proxy.

The parameters follow the authentication scheme indicated by the Proxy-Authenticate header in the original challenge. Different schemes define different parameter sets.

Directives

nextnonce

The nextnonce parameter provides a new nonce value for the client to use when authenticating to this proxy on the next request. The client replaces the original nonce with this value when constructing the next Proxy-Authorization header.

rspauth

The rspauth (response authentication) parameter contains a digest computed by the proxy to prove the proxy knows the client's credentials. The client verifies this digest to confirm the proxy's identity, preventing proxy impersonation. This parameter appears when the quality of protection includes authentication (qop=auth or qop=auth-int).

qop

The qop (quality of protection) parameter indicates the protection level applied to the response. The value auth means authentication only. The value auth-int means authentication with integrity protection of the response message body.

cnonce

The cnonce (client nonce) parameter echoes the client nonce value sent in the Proxy-Authorization header. The parameter confirms the proxy processed the client's nonce. Required when qop=auth or qop=auth-int is specified.

nc

The nc (nonce count) parameter echoes the hexadecimal count of requests the client has sent with the current nonce value. Required when qop=auth or qop=auth-int is specified.

Example

A proxy returns authentication parameters after accepting the client's Digest authentication credentials. The nextnonce rotates the nonce, and rspauth provides mutual authentication.

Proxy-Authentication-Info: nextnonce="7ba3c2", rspauth="9f2e4a1b8d3c5e7f", qop=auth, cnonce="5d3b9a4c", nc=00000001

Takeaway

The Proxy-Authentication-Info header sends authentication parameters from a proxy to the client after successful proxy authentication, enabling nonce rotation and mutual authentication in schemes such as Digest Access Authentication.

See also

• RFC 9110: HTTP Semantics
• Proxy-Authorization
• Proxy-Authenticate
• Authentication-Info
• Authentication
• HTTP headers