curl -I -o /dev/null -w "%{http_code}" https://example.com
HTTP 401 Unauthorized signals that the request requires authentication and either no credentials were provided or the credentials provided are invalid. Despite the name "Unauthorized", 401 is specifically about authentication (identity), not authorisation (permission) — the latter is what 403 Forbidden indicates.
401 responses must include a WWW-Authenticate header indicating what authentication scheme is expected (Basic, Bearer, Digest, etc.). The client should either prompt the user for credentials (browsers do this for HTTP Basic Auth) or include credentials in the next request. Repeated 401s with the same credentials usually mean the credentials are wrong.
From a security perspective, 401 vs 404 reveals information about whether resources exist. A 401 on /admin/dashboard tells attackers "this exists but requires auth" — useful for reconnaissance. Some applications return 404 instead of 401 for protected resources to obscure their existence (the security-through-obscurity tradeoff). Authentication brute-force attacks specifically watch for 401 → non-401 transitions to identify successful guesses.
APIs requiring authentication return 401 for requests without valid credentials. Clients typically retry with credentials (token, API key, OAuth bearer). Standard pattern; 401 with WWW-Authenticate header indicates what authentication is expected.
Attackers test many credential pairs against login endpoints; 401 indicates failure, redirect or 200 indicates success. Defenders look for unusual rates of 401 from single sources (IP, user agent) — indicates brute-force activity. Rate limiting + account lockout + CAPTCHA on threshold defends.
Hunters test whether protected resources can be accessed without authentication. Common findings: API endpoints checking auth on web UI but not API, authentication checks bypassed by case-changes in URL, missing checks on subdomains. Each is a valid finding.
OAuth flows produce 401s when access tokens expire. Clients handle by refreshing tokens via refresh-token flow, then retrying original request with new access token. Standard pattern; well-implemented OAuth clients handle transparently.
Compliance audits verify authentication is enforced where required. Sample tests: request protected resources without credentials (expect 401), with invalid credentials (expect 401), with valid credentials (expect 200). Document evidence for SOC 2, ISO 27001, etc.
401 = no/invalid credentials (authentication problem). 403 = valid credentials but insufficient permission (authorisation problem). Confusing these makes debugging harder and breaks API client error handling. Use the right code for the actual condition.
Error messages like "username valid but password wrong" tell attackers username is valid — halves the brute-force search space. Use generic "invalid credentials" regardless of which credential was wrong.
Authentication endpoints without rate limits enable brute-force attacks. Implement rate limiting per source IP and per username. Add CAPTCHA after threshold. Alert on unusual authentication failure rates.
Static API tokens that never expire are easier to brute force or compromise via token leakage. Use short-lived tokens with refresh mechanisms (OAuth flow) or rotate static tokens regularly.
Authentication enforcement must be applied consistently. Common gap: web UI requires auth but API does not (or vice versa). Subdomain might bypass main domain auth. Audit comprehensively; do not rely on framework defaults to apply everywhere.
URLs are logged in many places (web server logs, proxy logs, browser history, referer headers). Passwords or API tokens in URLs leak via these channels. Use Authorization header or POST body for credentials; never URL parameters.
WWW-Authenticate: Basic realm="API" for HTTP Basic Auth. WWW-Authenticate: Bearer for OAuth/JWT bearer tokens. The client uses this to know how to authenticate on the next request.