<!doctype html><html lang="en-US" prefix="og: https://ogp.me/ns#"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"/><link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"/><meta name="theme-color" content="#ffffff"/><link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"/><link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"/><title>WWW-Authenticate - HTTP | MDN</title><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/de/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="de"/><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/es/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="es"/><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="fr"/><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="ja"/><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="pt"/><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="zh"/><link rel="alternate" title="WWW-Authenticate" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate" hrefLang="en"/><link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""/><link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hrefLang="en"/><meta name="description" content="The HTTP WWW-Authenticate response header advertises the HTTP authentication methods (or challenges) that might be used to gain access to a specific resource."/><meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate"/><meta property="og:title" content="WWW-Authenticate - HTTP | MDN"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:description" content="The HTTP WWW-Authenticate response header advertises the HTTP authentication methods (or challenges) that might be used to gain access to a specific resource."/><meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"/><meta property="og:image:type" content="image/png"/><meta property="og:image:height" content="1080"/><meta property="og:image:width" content="1920"/><meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."/><meta property="og:site_name" content="MDN Web Docs"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:creator" content="MozDevNet"/><link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate"/><style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style><script src="/static/js/gtag.js" defer=""></script><script defer="" src="/static/js/main.f565372a.js"></script><link href="/static/css/main.3d9e7a02.css" rel="stylesheet"/></head><body><script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script><div id="root"><ul id="nav-access" class="a11y-nav"><li><a id="skip-main" href="#content">Skip to main content</a></li><li><a id="skip-search" href="#top-nav-search-input">Skip to search</a></li><li><a id="skip-select-language" href="#languages-switcher-button">Skip to select language</a></li></ul><div class="page-wrapper category-http document-page"><div class="top-banner loading"><section class="place top container"></section></div><div class="sticky-header-container"><header class="top-navigation "><div class="container "><div class="top-navigation-wrap"><a href="/en-US/" class="logo" aria-label="MDN homepage"><svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"><title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path></svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button></div><div class="top-navigation-main"><nav class="main-nav" aria-label="Main menu"><ul class="main-menu nojs"><li class="top-level-entry-container active"><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="/en-US/docs/Web" class="top-level-entry">References</a><ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Web/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Structure of content on the web</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Web/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Code used to describe document style</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Web/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">General-purpose scripting language</p></div></a></li><li class="http-link-container "><a href="/en-US/docs/Web/HTTP" class="submenu-item "><div class="submenu-icon http"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP</div><p class="submenu-item-description">Protocol for transmitting web resources</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Web/API" class="submenu-item "><div class="submenu-icon apis"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web APIs</div><p class="submenu-item-description">Interfaces for building web applications</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Extensions</div><p class="submenu-item-description">Developing extensions for web browsers</p></div></a></li><li class=" "><a href="/en-US/docs/Web/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Build web projects usable for all</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="learn-button" class="top-level-entry menu-toggle" aria-controls="learn-menu" aria-expanded="false">Learn</button><a href="/en-US/docs/Learn_web_development" class="top-level-entry">Learn</a><ul id="learn-menu" class="submenu learn hidden inline-submenu-lg" aria-labelledby="learn-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Learn_web_development" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Learn_web_development" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Learn_web_development/Core/Structuring_content" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Learn to structure web content with HTML</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Learn_web_development/Core/Styling_basics" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Learn to style content using CSS</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Learn_web_development/Core/Scripting" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">Learn to run scripts in the browser</p></div></a></li><li class=" "><a href="/en-US/docs/Learn_web_development/Core/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Learn to make the web accessible to all</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="/en-US/plus" class="top-level-entry">Plus</a><ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"><li class=" "><a href="/en-US/plus" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview</div><p class="submenu-item-description">A customized MDN experience</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li><li class=" "><a href="/en-US/plus/updates" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Updates</div><p class="submenu-item-description">All browser compatibility updates at a glance</p></div></a></li><li class=" "><a href="/en-US/plus/docs/features/overview" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Documentation</div><p class="submenu-item-description">Learn how to use MDN Plus</p></div></a></li><li class=" "><a href="/en-US/plus/docs/faq" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">FAQ</div><p class="submenu-item-description">Frequently asked questions about MDN Plus</p></div></a></li></ul></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/curriculum/">Curriculum <sup class="new">New</sup></a></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/blog/">Blog</a></li><li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button><ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"><li class=" "><a href="/en-US/play" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Playground</div><p class="submenu-item-description">Write, test and share your code</p></div></a></li><li class=" "><a href="/en-US/observatory" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP Observatory</div><p class="submenu-item-description">Scan a website for free</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li></ul></li></ul></nav><div class="header-search"><form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autoComplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder="   " required="" value=""/><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button><div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div></form></div><div class="theme-switcher-menu"><button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button></div><ul class="auth-container"><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FWWW-Authenticate" class="login-link" rel="nofollow">Log in</a></li><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FWWW-Authenticate" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li></ul></div></div></header><div class="article-actions-container"><div class="container"><button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button><nav class="breadcrumbs-container" aria-label="Breadcrumb"><ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web" class="breadcrumb" property="item" typeof="WebPage"><span property="name">References</span></a><meta property="position" content="1"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP" class="breadcrumb" property="item" typeof="WebPage"><span property="name">HTTP</span></a><meta property="position" content="2"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP/Headers" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Headers</span></a><meta property="position" content="3"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP/Headers/WWW-Authenticate" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">WWW-Authenticate</span></a><meta property="position" content="4"/></li></ol></nav><div class="article-actions"><button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button><ul class="article-actions-entries"><li class="article-actions-entry"><div class="languages-switcher-menu open-on-focus-within"><button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button><div class="hidden"><ul class="submenu language-menu " aria-labelledby="language-menu-button"><li class=" "><form class="submenu-item locale-redirect-setting"><div class="group"><label class="switch"><input type="checkbox" name="locale-redirect"/><span class="slider"></span><span class="label">Remember language</span></label><a href="https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it&#x27;s available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a></div></form></li><li class=" "><a data-locale="de" href="/de/docs/Web/HTTP/Headers/WWW-Authenticate" class="button submenu-item"><span>Deutsch</span><span title="Diese Übersetzung ist Teil eines Experiments."><span class="icon icon-experimental "></span></span></a></li><li class=" "><a data-locale="es" href="/es/docs/Web/HTTP/Headers/WWW-Authenticate" class="button submenu-item"><span>Español</span></a></li><li class=" "><a data-locale="fr" href="/fr/docs/Web/HTTP/Headers/WWW-Authenticate" class="button submenu-item"><span>Français</span></a></li><li class=" "><a data-locale="ja" href="/ja/docs/Web/HTTP/Headers/WWW-Authenticate" class="button submenu-item"><span>日本語</span></a></li><li class=" "><a data-locale="pt-BR" href="/pt-BR/docs/Web/HTTP/Headers/WWW-Authenticate" class="button submenu-item"><span>Português (do Brasil)</span></a></li><li class=" "><a data-locale="zh-CN" href="/zh-CN/docs/Web/HTTP/Headers/WWW-Authenticate" class="button submenu-item"><span>中文 (简体)</span></a></li></ul></div></div></li></ul></div></div></div></div><div class="main-wrapper"><div class="sidebar-container"><aside id="sidebar-quicklinks" class="sidebar"><button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button><nav aria-label="Related Topics" class="sidebar-inner"><header class="sidebar-actions"><section class="sidebar-filter-container"><div class="sidebar-filter "><label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autoComplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""/><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button></div></section></header><div class="sidebar-inner-nav"><div class="in-nav-toc"><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#syntax">Syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#directives">Directives</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></div><div class="sidebar-body"><ol><li class="section"><a href="/en-US/docs/Web/HTTP">HTTP</a></li><li class="section">Guides</li><li><a href="/en-US/docs/Web/HTTP/Overview">An overview of HTTP</a></li><li><a href="/en-US/docs/Web/HTTP/Session">A typical HTTP session</a></li><li><a href="/en-US/docs/Web/HTTP/Messages">HTTP messages</a></li><li><a href="/en-US/docs/Web/HTTP/MIME_types">MIME types (IANA media types)</a></li><li><a href="/en-US/docs/Web/HTTP/Compression">Compression in HTTP</a></li><li><a href="/en-US/docs/Web/HTTP/Caching">HTTP caching</a></li><li><a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a></li><li><a href="/en-US/docs/Web/HTTP/Cookies">Using HTTP cookies</a></li><li><a href="/en-US/docs/Web/HTTP/Redirections">Redirections in HTTP</a></li><li><a href="/en-US/docs/Web/HTTP/Conditional_requests">HTTP conditional requests</a></li><li><a href="/en-US/docs/Web/HTTP/Range_requests">HTTP range requests</a></li><li><a href="/en-US/docs/Web/HTTP/Content_negotiation">Content negotiation</a></li><li><a href="/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x">Connection management in HTTP/1.x</a></li><li><a href="/en-US/docs/Web/HTTP/Evolution_of_HTTP">Evolution of HTTP</a></li><li><a href="/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism">Protocol upgrade mechanism</a></li><li><a href="/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling">Proxy servers and tunneling</a></li><li><a href="/en-US/docs/Web/HTTP/Client_hints">HTTP Client hints</a></li><li class="toggle"><details><summary>Security and privacy</summary><ol><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides">Practical security implementation guides</a></li><li><a href="/en-US/observatory">HTTP Observatory</a></li><li><a href="/en-US/docs/Web/HTTP/Permissions_Policy">Permissions Policy</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a></li><li><a href="/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a></li><li><a href="/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy">Cross-Origin Resource Policy (CORP)</a></li><li><a href="/en-US/docs/Web/HTTP/Headers">Headers</a></li></ol></details></li><li class="section">References</li><li class="toggle"><details open=""><summary>HTTP headers</summary><ol><li><a href="/en-US/docs/Web/HTTP/Headers/Accept"><code>Accept</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-CH"><code>Accept-CH</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Encoding"><code>Accept-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Language"><code>Accept-Language</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Patch"><code>Accept-Patch</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Post"><code>Accept-Post</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Ranges"><code>Accept-Ranges</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials"><code>Access-Control-Allow-Credentials</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers"><code>Access-Control-Allow-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods"><code>Access-Control-Allow-Methods</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"><code>Access-Control-Allow-Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers"><code>Access-Control-Expose-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age"><code>Access-Control-Max-Age</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers"><code>Access-Control-Request-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"><code>Access-Control-Request-Method</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Age"><code>Age</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Allow"><code>Allow</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Alt-Svc"><code>Alt-Svc</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Alt-Used"><code>Alt-Used</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible"><code>Attribution-Reporting-Eligible</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source"><code>Attribution-Reporting-Register-Source</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cache-Control"><code>Cache-Control</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Clear-Site-Data"><code>Clear-Site-Data</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Connection"><code>Connection</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Digest"><code>Content-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Disposition"><code>Content-Disposition</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-DPR"><code>Content-DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Encoding"><code>Content-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Language"><code>Content-Language</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Length"><code>Content-Length</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Location"><code>Content-Location</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Range"><code>Content-Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Type"><code>Content-Type</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cookie"><code>Cookie</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Critical-CH"><code>Critical-CH</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Date"><code>Date</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Device-Memory"><code>Device-Memory</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/DNT"><code>DNT</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Downlink"><code>Downlink</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/DPR"><code>DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Early-Data"><code>Early-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/ECT"><code>ECT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/ETag"><code>ETag</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expect"><code>Expect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expect-CT"><code>Expect-CT</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expires"><code>Expires</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Forwarded"><code>Forwarded</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/From"><code>From</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Host"><code>Host</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Match"><code>If-Match</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Modified-Since"><code>If-Modified-Since</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-None-Match"><code>If-None-Match</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Range"><code>If-Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"><code>If-Unmodified-Since</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Keep-Alive"><code>Keep-Alive</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Last-Modified"><code>Last-Modified</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Link"><code>Link</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Location"><code>Location</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Max-Forwards"><code>Max-Forwards</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/NEL"><code>NEL</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/No-Vary-Search"><code>No-Vary-Search</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics"><code>Observe-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Origin"><code>Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster"><code>Origin-Agent-Cluster</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy"><code>Permissions-Policy</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Pragma"><code>Pragma</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Priority"><code>Priority</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate"><code>Proxy-Authenticate</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authorization"><code>Proxy-Authorization</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Range"><code>Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Referer"><code>Referer</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy"><code>Referrer-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Refresh"><code>Refresh</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Report-To"><code>Report-To</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints"><code>Reporting-Endpoints</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Repr-Digest"><code>Repr-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Retry-After"><code>Retry-After</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/RTT"><code>RTT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Save-Data"><code>Save-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics"><code>Sec-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA"><code>Sec-CH-UA</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch"><code>Sec-CH-UA-Arch</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness"><code>Sec-CH-UA-Bitness</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version"><code>Sec-CH-UA-Full-Version</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile"><code>Sec-CH-UA-Mobile</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model"><code>Sec-CH-UA-Model</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform"><code>Sec-CH-UA-Platform</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version"><code>Sec-CH-UA-Platform-Version</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest"><code>Sec-Fetch-Dest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode"><code>Sec-Fetch-Mode</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site"><code>Sec-Fetch-Site</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User"><code>Sec-Fetch-User</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-GPC"><code>Sec-GPC</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Purpose"><code>Sec-Purpose</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept"><code>Sec-WebSocket-Accept</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions"><code>Sec-WebSocket-Extensions</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key"><code>Sec-WebSocket-Key</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol"><code>Sec-WebSocket-Protocol</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version"><code>Sec-WebSocket-Version</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Server"><code>Server</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Server-Timing"><code>Server-Timing</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Service-Worker"><code>Service-Worker</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Service-Worker-Allowed"><code>Service-Worker-Allowed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Set-Cookie"><code>Set-Cookie</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Set-Login"><code>Set-Login</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/SourceMap"><code>SourceMap</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Speculation-Rules"><code>Speculation-Rules</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"><code>Strict-Transport-Security</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode"><code>Supports-Loading-Mode</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/TE"><code>TE</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin"><code>Timing-Allow-Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Tk"><code>Tk</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Trailer"><code>Trailer</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Transfer-Encoding"><code>Transfer-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Upgrade"><code>Upgrade</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests"><code>Upgrade-Insecure-Requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/User-Agent"><code>User-Agent</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Vary"><code>Vary</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Via"><code>Via</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Viewport-Width"><code>Viewport-Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Content-Digest"><code>Want-Content-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest"><code>Want-Repr-Digest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Warning"><code>Warning</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Width"><code>Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><em><a href="/en-US/docs/Web/HTTP/Headers/WWW-Authenticate" aria-current="page"><code>WWW-Authenticate</code></a></em></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"><code>X-Content-Type-Options</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control"><code>X-DNS-Prefetch-Control</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"><code>X-Forwarded-For</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host"><code>X-Forwarded-Host</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto"><code>X-Forwarded-Proto</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options"><code>X-Frame-Options</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Permitted-Cross-Domain-Policies"><code>X-Permitted-Cross-Domain-Policies</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Powered-By"><code>X-Powered-By</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Robots-Tag"><code>X-Robots-Tag</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"><code>X-XSS-Protection</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li></ol></details></li><li class="toggle"><details><summary>HTTP request methods</summary><ol><li><a href="/en-US/docs/Web/HTTP/Methods/CONNECT"><code>CONNECT</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/DELETE"><code>DELETE</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/GET"><code>GET</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/HEAD"><code>HEAD</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/OPTIONS"><code>OPTIONS</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/PATCH"><code>PATCH</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/POST"><code>POST</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/PUT"><code>PUT</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/TRACE"><code>TRACE</code></a></li></ol></details></li><li class="toggle"><details><summary>HTTP response status codes</summary><ol><li><a href="/en-US/docs/Web/HTTP/Status/100"><code>100 Continue</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/101"><code>101 Switching Protocols</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/102"><code>102 Processing</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/103"><code>103 Early Hints</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/200"><code>200 OK</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/201"><code>201 Created</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/202"><code>202 Accepted</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/203"><code>203 Non-Authoritative Information</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/204"><code>204 No Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/205"><code>205 Reset Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/206"><code>206 Partial Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/207"><code>207 Multi-Status</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/208"><code>208 Already Reported</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/226"><code>226 IM Used</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/300"><code>300 Multiple Choices</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/301"><code>301 Moved Permanently</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/302"><code>302 Found</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/303"><code>303 See Other</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/304"><code>304 Not Modified</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/307"><code>307 Temporary Redirect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/308"><code>308 Permanent Redirect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/400"><code>400 Bad Request</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/401"><code>401 Unauthorized</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/402"><code>402 Payment Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/403"><code>403 Forbidden</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/404"><code>404 Not Found</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/405"><code>405 Method Not Allowed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/406"><code>406 Not Acceptable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/407"><code>407 Proxy Authentication Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/408"><code>408 Request Timeout</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/409"><code>409 Conflict</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/410"><code>410 Gone</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/411"><code>411 Length Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/412"><code>412 Precondition Failed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/413"><code>413 Content Too Large</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/414"><code>414 URI Too Long</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/415"><code>415 Unsupported Media Type</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/416"><code>416 Range Not Satisfiable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/417"><code>417 Expectation Failed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/418"><code>418 I'm a teapot</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/421"><code>421 Misdirected Request</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/422"><code>422 Unprocessable Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/423"><code>423 Locked</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/424"><code>424 Failed Dependency</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/425"><code>425 Too Early</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/426"><code>426 Upgrade Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/428"><code>428 Precondition Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/429"><code>429 Too Many Requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/431"><code>431 Request Header Fields Too Large</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/451"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/500"><code>500 Internal Server Error</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/501"><code>501 Not Implemented</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/502"><code>502 Bad Gateway</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/503"><code>503 Service Unavailable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/504"><code>504 Gateway Timeout</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/505"><code>505 HTTP Version Not Supported</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/506"><code>506 Variant Also Negotiates</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/507"><code>507 Insufficient Storage</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/508"><code>508 Loop Detected</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/510"><code>510 Not Extended</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/511"><code>511 Network Authentication Required</code></a></li></ol></details></li><li class="toggle"><details><summary>CSP directives</summary><ol><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri"><code>CSP: base-uri</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content"><code>CSP: block-all-mixed-content</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src"><code>CSP: child-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src"><code>CSP: connect-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src"><code>CSP: default-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src"><code>CSP: fenced-frame-src</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src"><code>CSP: font-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action"><code>CSP: form-action</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>CSP: frame-ancestors</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src"><code>CSP: frame-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src"><code>CSP: img-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src"><code>CSP: manifest-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src"><code>CSP: media-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>CSP: object-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src"><code>CSP: prefetch-src</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to"><code>CSP: report-to</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri"><code>CSP: report-uri</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites."> <span class="visually-hidden">Deprecated</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for"><code>CSP: require-trusted-types-for</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox"><code>CSP: sandbox</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>CSP: script-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr"><code>CSP: script-src-attr</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem"><code>CSP: script-src-elem</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src"><code>CSP: style-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr"><code>CSP: style-src-attr</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem"><code>CSP: style-src-elem</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types"><code>CSP: trusted-types</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src"><code>CSP: worker-src</code></a></li></ol></details></li><li class="toggle"><details><summary>CORS errors</summary><ol><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled"><code>Reason: CORS disabled</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin"><code>Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin"><code>Reason: CORS header 'Access-Control-Allow-Origin' missing</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded"><code>Reason: CORS header 'Origin' cannot be added</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed"><code>Reason: CORS preflight channel did not succeed</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed"><code>Reason: CORS request did not succeed</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed"><code>Reason: CORS request external redirect not allowed</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp"><code>Reason: CORS request not HTTP</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"><code>Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound"><code>Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials"><code>Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight"><code>Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</code></a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed"><code>Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</code></a></li></ol></details></li><li class="toggle"><details><summary>Permissions-Policy directives</summary><ol><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer"><code>Permissions-Policy: accelerometer</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor"><code>Permissions-Policy: ambient-light-sensor</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting"><code>Permissions-Policy: attribution-reporting</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay"><code>Permissions-Policy: autoplay</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth"><code>Permissions-Policy: bluetooth</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics"><code>Permissions-Policy: browsing-topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."> <span class="visually-hidden">Non-standard</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera"><code>Permissions-Policy: camera</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure"><code>Permissions-Policy: compute-pressure</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/cross-origin-isolated"><code>Permissions-Policy: cross-origin-isolated</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture"><code>Permissions-Policy: display-capture</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain"><code>Permissions-Policy: document-domain</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media"><code>Permissions-Policy: encrypted-media</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen"><code>Permissions-Policy: fullscreen</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad"><code>Permissions-Policy: gamepad</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation"><code>Permissions-Policy: geolocation</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope"><code>Permissions-Policy: gyroscope</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid"><code>Permissions-Policy: hid</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get"><code>Permissions-Policy: identity-credentials-get</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection"><code>Permissions-Policy: idle-detection</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts"><code>Permissions-Policy: local-fonts</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer"><code>Permissions-Policy: magnetometer</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone"><code>Permissions-Policy: microphone</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi"><code>Permissions-Policy: midi</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials"><code>Permissions-Policy: otp-credentials</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment"><code>Permissions-Policy: payment</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture"><code>Permissions-Policy: picture-in-picture</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create"><code>Permissions-Policy: publickey-credentials-create</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get"><code>Permissions-Policy: publickey-credentials-get</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock"><code>Permissions-Policy: screen-wake-lock</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial"><code>Permissions-Policy: serial</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection"><code>Permissions-Policy: speaker-selection</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access"><code>Permissions-Policy: storage-access</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb"><code>Permissions-Policy: usb</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share"><code>Permissions-Policy: web-share</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management"><code>Permissions-Policy: window-management</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking"><code>Permissions-Policy: xr-spatial-tracking</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future."> <span class="visually-hidden">Experimental</span> </abbr></li></ol></details></li><li><a href="/en-US/docs/Web/HTTP/Resources_and_specifications">HTTP resources and specifications</a></li></ol></div></div><section class="place side"></section></nav></aside><div class="toc-container"><aside class="toc"><nav><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#syntax">Syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#directives">Directives</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></nav></aside><section class="place side"></section></div></div><main id="content" class="main-content "><article class="main-page-content" lang="en-US"><header><h1>WWW-Authenticate</h1><details class="baseline-indicator high"><summary><span class="indicator" role="img" aria-label="Baseline Check"></span><div class="status-title">Baseline<!-- --> <span class="not-bold">Widely available</span> *</div><div class="browsers"><span class="engine" title="Supported in Chrome and Edge"><span class="browser chrome supported" role="img" aria-label="Chrome check"></span><span class="browser edge supported" role="img" aria-label="Edge check"></span></span><span class="engine" title="Supported in Firefox"><span class="browser firefox supported" role="img" aria-label="Firefox check"></span></span><span class="engine" title="Supported in Safari"><span class="browser safari supported" role="img" aria-label="Safari check"></span></span></div><span class="icon icon-chevron "></span></summary><div class="extra"><p>This feature is well established and works across many devices and browser versions. It’s been available across browsers since<!-- --> <!-- -->July 2015<!-- -->.</p><p>* Some parts of this feature may have varying levels of support.</p><ul><li><a href="/en-US/docs/Glossary/Baseline/Compatibility" data-glean="baseline_link_learn_more" target="_blank" class="learn-more">Learn more</a></li><li><a href="#browser_compatibility" data-glean="baseline_link_bcd_table">See full compatibility</a></li><li><a href="https://survey.alchemer.com/s3/7634825/MDN-baseline-feedback?page=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FWWW-Authenticate&amp;level=high" data-glean="baseline_link_feedback" class="feedback-link" target="_blank" rel="noreferrer">Report feedback</a></li></ul></div></details></header><div class="section-content"><p>The HTTP <strong><code>WWW-Authenticate</code></strong> <a href="/en-US/docs/Glossary/Response_header">response header</a> advertises the <a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a> methods (or <a href="/en-US/docs/Glossary/Challenge">challenges</a>) that might be used to gain access to a specific resource.</p> <p>This header is part of the <a href="/en-US/docs/Web/HTTP/Authentication#the_general_http_authentication_framework">General HTTP authentication framework</a>, which can be used with a number of <a href="/en-US/docs/Web/HTTP/Authentication#authentication_schemes">authentication schemes</a>. Each challenge identifies a scheme supported by the server and additional parameters that are defined for that scheme type.</p> <p>A server using <a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a> will respond with a <a href="/en-US/docs/Web/HTTP/Status/401"><code>401 Unauthorized</code></a> response to a request for a protected resource. This response must include at least one <code>WWW-Authenticate</code> header and at least one challenge to indicate what authentication schemes can be used to access the resource and any additional data that each particular scheme needs.</p> <p>Multiple challenges are allowed in one <code>WWW-Authenticate</code> header, and multiple <code>WWW-Authenticate</code> headers are allowed in one response. A server may also include the <code>WWW-Authenticate</code> header in other response messages to indicate that supplying credentials might affect the response.</p> <p>After receiving the <code>WWW-Authenticate</code> header, a client will typically prompt the user for credentials, and then re-request the resource. This new request uses the <a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a> header to supply the credentials to the server, encoded appropriately for the selected authentication method. The client is expected to select the most secure of the challenges it understands (note that in some cases the "most secure" method is debatable).</p> <figure class="table-container"><table class="properties"> <tbody> <tr> <th scope="row">Header type</th> <td><a href="/en-US/docs/Glossary/Response_header">Response header</a></td> </tr> <tr> <th scope="row"><a href="/en-US/docs/Glossary/Forbidden_header_name">Forbidden header name</a></th> <td>No</td> </tr> </tbody> </table></figure></div><section aria-labelledby="syntax"><h2 id="syntax"><a href="#syntax">Syntax</a></h2><div class="section-content"><div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>WWW-Authenticate: &lt;challenge&gt; </code></pre></div> <p>Where a <code>&lt;challenge&gt;</code> is comprised of an <code>&lt;auth-scheme&gt;</code>, followed by an optional <code>&lt;token68&gt;</code> or a comma-separated list of <code>&lt;auth-params&gt;</code>:</p> <pre class="brush: plain notranslate">challenge = &lt;auth-scheme&gt; &lt;auth-param&gt;, …, &lt;auth-paramN&gt; challenge = &lt;auth-scheme&gt; &lt;token68&gt; </pre> <p>For example:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>WWW-Authenticate: &lt;auth-scheme&gt; WWW-Authenticate: &lt;auth-scheme&gt; token68 WWW-Authenticate: &lt;auth-scheme&gt; auth-param1=param-token1 WWW-Authenticate: &lt;auth-scheme&gt; auth-param1=param-token1, …, auth-paramN=param-tokenN </code></pre></div> <p>The presence of a <code>token68</code> or authentication parameters depends on the selected <code>&lt;auth-scheme&gt;</code>. For example, <a href="/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme">Basic authentication</a> requires a <code>&lt;realm&gt;</code>, and allows for optional use of <code>charset</code> key, but does not support a <code>token68</code>:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>WWW-Authenticate: Basic realm="Dev", charset="UTF-8" </code></pre></div> <p>Multiple challenges can be sent in a comma-separated list</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>WWW-Authenticate: &lt;challenge&gt;, …, &lt;challengeN&gt; </code></pre></div> <p>Multiple headers can also be sent in a single response:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>WWW-Authenticate: &lt;challenge&gt; WWW-Authenticate: &lt;challengeN&gt; </code></pre></div></div></section><section aria-labelledby="directives"><h2 id="directives"><a href="#directives">Directives</a></h2><div class="section-content"><dl> <dt id="auth-scheme"><a href="#auth-scheme"><code>&lt;auth-scheme&gt;</code></a></dt> <dd> <p>A case-insensitive token indicating the <a href="/en-US/docs/Web/HTTP/Authentication#authentication_schemes">Authentication scheme</a> used. Some of the more common types are <a href="/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme"><code>Basic</code></a>, <code>Digest</code>, <code>Negotiate</code> and <code>AWS4-HMAC-SHA256</code>. IANA maintains a <a href="https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml" class="external" target="_blank">list of authentication schemes</a>, but there are other schemes offered by host services.</p> </dd> <dt id="auth-param"><a href="#auth-param"><code>&lt;auth-param&gt;</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>An authentication parameter whose format depends on the <code>&lt;auth-scheme&gt;</code>. <code>&lt;realm&gt;</code> is described below as it's a common authentication parameter among many auth schemes.</p> <dl> <dt id="realm"><a href="#realm"><code>&lt;realm&gt;</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>The string <code>realm</code> followed by <code>=</code> and a quoted string describing a protected area, for example <code>realm="staging environment"</code>. A realm allows a server to partition the areas it protects (if supported by a scheme that allows such partitioning). Some clients show this value to the user to inform them about which particular credentials are required — though most browsers stopped doing so to counter phishing. The only reliably supported character set for this value is <code>us-ascii</code>. If no realm is specified, clients often display a formatted hostname instead.</p> </dd> </dl> </dd> <dt id="token68"><a href="#token68"><code>&lt;token68&gt;</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>A token that may be useful for some schemes. The token allows the 66 unreserved URI characters plus a few others. It can hold a <a href="/en-US/docs/Glossary/Base64">base64</a>, base64url, base32, or base16 (hex) encoding, with or without padding, but excluding whitespace. The token68 alternative to auth-param lists is supported for consistency with legacy authentication schemes.</p> </dd> </dl> <p>Generally, you will need to check the relevant specifications for the authentication parameters needed for each <code>&lt;auth-scheme&gt;</code>. The following sections describe token and auth parameters for some common auth schemes.</p></div></section><section aria-labelledby="basic_authentication_directives"><h3 id="basic_authentication_directives"><a href="#basic_authentication_directives">Basic authentication directives</a></h3><div class="section-content"><dl> <dt id="realm_2"><a href="#realm_2"><code>&lt;realm&gt;</code></a></dt> <dd> <p>A <code>&lt;realm&gt;</code> as <a href="#realm">described above</a>. Note that the realm is mandatory for <code>Basic</code> authentication.</p> </dd> <dt id="charsetutf-8"><a href="#charsetutf-8"><code>charset="UTF-8"</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>Tells the client the server's preferred encoding scheme when submitting a username and password. The only allowed value is the case-insensitive string <code>UTF-8</code>. This does not relate to the encoding of the realm string.</p> </dd> </dl></div></section><section aria-labelledby="digest_authentication_directives"><h3 id="digest_authentication_directives"><a href="#digest_authentication_directives">Digest authentication directives</a></h3><div class="section-content"><dl> <dt id="realm_3"><a href="#realm_3"><code>&lt;realm&gt;</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>A <code>&lt;realm&gt;</code> as <a href="#realm">described above</a> indicating which username/password to use. Minimally should include the host name, but might indicate the users or group that have access.</p> </dd> <dt id="domain"><a href="#domain"><code>domain</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>A quoted, space-separated list of URI prefixes that define all the locations where the authentication information may be used. If this key is not specified then the authentication information may be used anywhere on the web root.</p> </dd> <dt id="nonce"><a href="#nonce"><code>nonce</code></a></dt> <dd> <p>A server-specified quoted string that the server can use to control the lifetime in which particular credentials will be considered valid. This must be uniquely generated each time a 401 response is made, and may be regenerated more often (for example, allowing a digest to be used only once). The specification contains advice on possible algorithms for generating this value. The nonce value is opaque to the client.</p> </dd> <dt id="opaque"><a href="#opaque"><code>opaque</code></a></dt> <dd> <p>A server-specified quoted string that should be returned unchanged in the <a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a>. This is opaque to the client. The server is recommended to include Base64 or hexadecimal data.</p> </dd> <dt id="stale"><a href="#stale"><code>stale</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>A case-insensitive flag indicating that the previous request from the client was rejected because the <code>nonce</code> used is too old (stale). If this is <code>true</code> the request can be retried using the same username/password encrypted using the new <code>nonce</code>. If it is any other value then the username/password are invalid and must be re-requested from the user.</p> </dd> <dt id="algorithm"><a href="#algorithm"><code>algorithm</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>A string indicating the algorithm used to produce a digest. Valid non-session values are: <code>MD5</code> (default if <code>algorithm</code> not specified), <code>SHA-256</code>, <code>SHA-512</code>. Valid session values are: <code>MD5-sess</code>, <code>SHA-256-sess</code>, <code>SHA-512-sess</code>.</p> </dd> <dt id="qop"><a href="#qop"><code>qop</code></a></dt> <dd> <p>Quoted string indicating the quality of protection supported by the server. This must be supplied, and unrecognized options must be ignored.</p> <ul> <li><code>"auth"</code>: Authentication</li> <li><code>"auth-int"</code>: Authentication with integrity protection</li> </ul> </dd> <dt id="charsetutf-8_2"><a href="#charsetutf-8_2"><code>charset="UTF-8"</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>Tells the client the server's preferred encoding scheme when submitting a username and password. The only allowed value is the case-insensitive string "UTF-8".</p> </dd> <dt id="userhash"><a href="#userhash"><code>userhash</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>A server may specify <code>"true"</code> to indicate that it supports username hashing (default is <code>"false"</code>)</p> </dd> </dl></div></section><section aria-labelledby="http_origin-bound_authentication_hoba"><h3 id="http_origin-bound_authentication_hoba"><a href="#http_origin-bound_authentication_hoba">HTTP Origin-Bound Authentication (HOBA)</a></h3><div class="section-content"><dl> <dt id="challenge"><a href="#challenge"><code>&lt;challenge&gt;</code></a></dt> <dd> <p>A set of pairs in the format of <code>&lt;len&gt;:&lt;value&gt;</code> concatenated together to be given to a client. The challenge is made of up a nonce, algorithm, origin, realm, key identifier, and the challenge.</p> </dd> <dt id="max-age"><a href="#max-age"><code>&lt;max-age&gt;</code></a></dt> <dd> <p>The number of seconds from the time the HTTP response is emitted for which responses to this challenge can be accepted.</p> </dd> <dt id="realm_4"><a href="#realm_4"><code>&lt;realm&gt;</code> <span class="badge inline optional">Optional</span></a></dt> <dd> <p>As above in the <a href="#directives">directives</a> section.</p> </dd> </dl></div></section><section aria-labelledby="examples"><h2 id="examples"><a href="#examples">Examples</a></h2><div class="section-content"></div></section><section aria-labelledby="issuing_multiple_authentication_challenges"><h3 id="issuing_multiple_authentication_challenges"><a href="#issuing_multiple_authentication_challenges">Issuing multiple authentication challenges</a></h3><div class="section-content"><p>Multiple challenges may be specified in a single response header:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>HTTP/1.1 401 Unauthorized WWW-Authenticate: challenge1, …, challengeN </code></pre></div> <p>Multiple challenges can be sent in separate <code>WWW-Authenticate</code> headers in the same response:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>HTTP/1.1 401 Unauthorized WWW-Authenticate: challenge1 WWW-Authenticate: challengeN </code></pre></div></div></section><section aria-labelledby="basic_authentication"><h3 id="basic_authentication"><a href="#basic_authentication">Basic authentication</a></h3><div class="section-content"><p>A server that only supports basic authentication might have a <code>WWW-Authenticate</code> response header which looks like this:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="Staging server", charset="UTF-8" </code></pre></div> <p>A user-agent receiving this header would first prompt the user for their username and password, and then re-request the resource with the encoded credentials in the <code>Authorization</code> header. The <code>Authorization</code> header might look like this:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l </code></pre></div> <p>For <code>Basic</code> authentication, the credentials are constructed by first combining the username and the password with a colon (<code>aladdin:opensesame</code>), and then by encoding the resulting string in <a href="/en-US/docs/Glossary/Base64"><code>base64</code></a> (<code>YWxhZGRpbjpvcGVuc2VzYW1l</code>).</p> <div class="notecard note"> <p><strong>Note:</strong> See also <a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a> for examples on how to configure Apache or Nginx servers to password protect your site with HTTP basic authentication.</p> </div></div></section><section aria-labelledby="digest_authentication_with_sha-256_and_md5"><h3 id="digest_authentication_with_sha-256_and_md5"><a href="#digest_authentication_with_sha-256_and_md5">Digest authentication with SHA-256 and MD5</a></h3><div class="section-content"><div class="notecard note"> <p><strong>Note:</strong> This example is taken from <a href="https://datatracker.ietf.org/doc/html/rfc7616" class="external" target="_blank">RFC 7616</a> "HTTP Digest Access Authentication" (other examples in the specification show the use of <code>SHA-512</code>, <code>charset</code>, and <code>userhash</code>).</p> </div> <p>The client attempts to access a document at URI <code>http://www.example.org/dir/index.html</code> that is protected via digest authentication. The username for this document is "Mufasa" and the password is "Circle of Life" (note the single space between each of the words).</p> <p>The first time the client requests the document, no <a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a> header field is sent. Here the server responds with an HTTP 401 message that includes a challenge for each digest algorithm it supports, in its order of preference (<code>SHA256</code> and then <code>MD5</code>)</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="http-auth@example.org", qop="auth, auth-int", algorithm=SHA-256, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" WWW-Authenticate: Digest realm="http-auth@example.org", qop="auth, auth-int", algorithm=MD5, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" </code></pre></div> <p>The client prompts the user for their username and password, and then responds with a new request that encodes the credentials in the <a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a> header field. If the client chose the MD5 digest the <a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a> header field might look as shown below:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Authorization: Digest username="Mufasa", realm="http-auth@example.org", uri="/dir/index.html", algorithm=MD5, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", nc=00000001, cnonce="f2/wE4q74E6zIJEtWaHKaf5wv/H5QzzpXusqGemxURZJ", qop=auth, response="8ca523f5e9506fed4657c9700eebdbec", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" </code></pre></div> <p>If the client chose the SHA-256 digest the <a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a> header field might look as shown below:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Authorization: Digest username="Mufasa", realm="http-auth@example.org", uri="/dir/index.html", algorithm=SHA-256, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", nc=00000001, cnonce="f2/wE4q74E6zIJEtWaHKaf5wv/H5QzzpXusqGemxURZJ", qop=auth, response="753927fa0e85d155564e2e272a28d1802ca10daf449 6794697cf8db5856cb6c1", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" </code></pre></div></div></section><section aria-labelledby="hoba_authentication"><h3 id="hoba_authentication"><a href="#hoba_authentication">HOBA Authentication</a></h3><div class="section-content"><p>A server that supports HOBA authentication might have a <code>WWW-Authenticate</code> response header which looks like this:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>HTTP/1.1 401 Unauthorized WWW-Authenticate: HOBA max-age="180", challenge="16:MTEyMzEyMzEyMw==1:028:https://www.example.com:80800:3:MTI48:NjgxNDdjOTctNDYxYi00MzEwLWJlOWItNGM3MDcyMzdhYjUz" </code></pre></div> <p>The to-be-signed blob challenge is made from these parts: <code>www.example.com</code> using port 8080, the nonce is <code>1123123123</code>, the algorithm for signing is RSA-SHA256, the key identifier is <code>123</code>, and finally the challenge is <code>68147c97-461b-4310-be9b-4c707237ab53</code>.</p> <p>A client would receive this header, extract the challenge, sign it with their private key that corresponds to key identifier 123 in our example using RSA-SHA256, and then send the result in the <code>Authorization</code> header as a dot-separated key id, challenge, nonce, and signature.</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Authorization: 123.16:MTEyMzEyMzEyMw==1:028:https://www.example.com:80800:3:MTI48:NjgxNDdjOTctNDYxYi00MzEwLWJlOWItNGM3MDcyMzdhYjUz.1123123123.&lt;signature-of-challenge&gt; </code></pre></div></div></section><h2 id="specifications"><a href="#specifications">Specifications</a></h2><table class="standard-table"><thead><tr><th scope="col">Specification</th></tr></thead><tbody><tr><td><a href="https://httpwg.org/specs/rfc9110.html#field.www-authenticate">HTTP Semantics<!-- --> <br/><small># <!-- -->field.www-authenticate</small></a></td></tr></tbody></table><h2 id="browser_compatibility"><a href="#browser_compatibility">Browser compatibility</a></h2><p>BCD tables only load in the browser<noscript> <!-- -->with JavaScript enabled. Enable JavaScript to view data.</noscript></p><section aria-labelledby="see_also"><h2 id="see_also"><a href="#see_also">See also</a></h2><div class="section-content"><ul> <li><a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a></li> <li><a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a></li> <li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authorization"><code>Proxy-Authorization</code></a></li> <li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate"><code>Proxy-Authenticate</code></a></li> <li><a href="/en-US/docs/Web/HTTP/Status/401"><code>401</code></a>, <a href="/en-US/docs/Web/HTTP/Status/403"><code>403</code></a>, <a href="/en-US/docs/Web/HTTP/Status/407"><code>407</code></a></li> </ul></div></section></article><aside class="article-footer"><div class="article-footer-inner"><div class="svg-container"><svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewBox="0 0 162 162" fill="none" role="none"><mask id="b" fill="#fff"><path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path></mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"><path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path></g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"><path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path></g><defs><clipPath id="c"><path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path></clipPath><clipPath id="d"><path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path></clipPath><linearGradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientUnits="userSpaceOnUse"><stop stop-color="#086DFC"></stop><stop offset="0.246" stop-color="#2C81FA"></stop><stop offset="0.516" stop-color="#5497F8"></stop><stop offset="0.821" stop-color="#80B0F6"></stop><stop offset="1" stop-color="#9ABFF5"></stop></linearGradient></defs></svg></div><h2>Help improve MDN</h2><fieldset class="feedback"><label>Was this page helpful to you?</label><div class="button-container"><button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button></div></fieldset><a class="contribute" href="https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>.<p class="last-modified-date">This page was last modified on<!-- --> <time dateTime="2024-12-09T16:05:46.000Z">Dec 9, 2024</time> by<!-- --> <a href="/en-US/docs/Web/HTTP/Headers/WWW-Authenticate/contributors.txt" rel="nofollow">MDN contributors</a>.</p><div id="on-github" class="on-github"><a href="https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/www-authenticate/index.md?plain=1" title="Folder: en-us/web/http/headers/www-authenticate (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://github.com/mdn/content/issues/new?template=page-report.yml&amp;mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FWWW-Authenticate&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fweb%2Fhttp%2Fheaders%2Fwww-authenticate%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FWWW-Authenticate%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fweb%2Fhttp%2Fheaders%2Fwww-authenticate%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2Fed041385cf874deec203e820fd415bdcd6f98a19%0A*+Document+last+modified%3A+2024-12-09T16%3A05%3A46.000Z%0A%0A%3C%2Fdetails%3E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a></div></div></aside></main></div></div><footer id="nav-footer" class="page-footer"><div class="page-footer-grid"><div class="page-footer-logo-col"><a href="/" class="mdn-footer-logo" aria-label="MDN homepage"><svg width="48" height="17" viewBox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path></svg></a><p>Your blueprint for a better internet.</p><ul class="social-icons"><li><a href="https://mastodon.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li><li><a href="https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li><li><a href="https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li><li><a href="/en-US/blog/rss.xml" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li></ul></div><div class="page-footer-nav-col-1"><h2 class="footer-nav-heading">MDN</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a href="/en-US/about">About</a></li><li class="footer-nav-item"><a href="/en-US/blog/">Blog</a></li><li class="footer-nav-item"><a href="https://www.mozilla.org/en-US/careers/listings/?team=ProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li><li class="footer-nav-item"><a href="/en-US/advertising">Advertise with us</a></li></ul></div><div class="page-footer-nav-col-2"><h2 class="footer-nav-heading">Support</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="https://support.mozilla.org/products/mdn-plus">Product help</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/MDN/Community/Issues">Report an issue</a></li></ul></div><div class="page-footer-nav-col-3"><h2 class="footer-nav-heading">Our communities</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/community">MDN Community</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/discord" target="_blank" rel="noopener noreferrer">MDN Chat</a></li></ul></div><div class="page-footer-nav-col-4"><h2 class="footer-nav-heading">Developers</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Web">Web Technologies</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Learn">Learn Web Development</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/plus">MDN Plus</a></li><li class="footer-nav-item"><a href="https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li></ul></div><div class="page-footer-moz"><a href="https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"><svg xmlns="http://www.w3.org/2000/svg" width="137" height="32" fill="none" viewBox="0 0 267.431 62.607"><path fill="currentColor" d="m13.913 23.056 5.33 25.356h2.195l5.33-25.356h14.267v38.976h-7.578V29.694h-2.194l-7.264 32.337h-7.343L9.418 29.694H7.223v32.337H-.354V23.056Zm47.137 9.123c9.12 0 14.423 5.385 14.423 15.214s-5.33 15.214-14.423 15.214c-9.12 0-14.423-5.385-14.423-15.214 0-9.855 5.304-15.214 14.423-15.214m0 24.363c4.285 0 6.428-2.196 6.428-7.032v-4.287c0-4.836-2.143-7.032-6.428-7.032s-6.428 2.196-6.428 7.032v4.287c0 4.836 2.143 7.032 6.428 7.032m18.473-.157 15.47-18.01h-15.26v-5.647h24.352v5.646L88.616 56.385h15.704v5.646H79.523Zm29.318-23.657h11.183V62.03h-7.578V38.375h-3.632v-5.646zm3.605-9.672h7.578v5.646h-7.578zm13.17 0h11.21v38.976h-7.578v-33.33h-3.632zm16.801 0H153.6v38.976h-7.577v-33.33h-3.632v-5.646zm29.03 9.123c4.442 0 7.394 2.143 8.231 5.881h2.194v-5.332h9.276v5.646h-3.632v18.011h3.632v5.646h-4.442c-3.135 0-4.834-1.699-4.834-4.836V56.7h-2.194c-.81 3.738-3.789 5.881-8.23 5.881-6.978 0-11.916-5.829-11.916-15.214 0-9.384 4.938-15.187 11.915-15.187m2.3 24.363c4.284 0 6.192-2.196 6.192-7.032v-4.287c0-4.836-1.908-7.032-6.193-7.032-4.18 0-6.193 2.196-6.193 7.032v4.287c0 4.836 2.012 7.032 6.193 7.032m48.34 5.489h-7.577V0h7.577zm6.585-29.643h32.165v-2.196l-21.295-7.634v-6.143l21.295-7.633V6.588h-25.345V0h32.165v12.522l-17.35 5.881V20.6l17.35 5.882v12.521h-38.985zm0-25.801h6.794v6.796h-6.794z"></path></svg></a><ul class="footer-moz-list"><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/#cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li></ul></div><div class="page-footer-legal"><p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://foundation.mozilla.org/">Mozilla Foundation</a>.<br/>Portions of this content are ©1998–<!-- -->2025<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license">a Creative Commons license</a>.</p></div></div></footer></div><script type="application/json" id="hydration">{"url":"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate","doc":{"body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<p>The HTTP <strong><code>WWW-Authenticate</code></strong> <a href=\"/en-US/docs/Glossary/Response_header\">response header</a> advertises the <a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a> methods (or <a href=\"/en-US/docs/Glossary/Challenge\">challenges</a>) that might be used to gain access to a specific resource.</p>\n<p>This header is part of the <a href=\"/en-US/docs/Web/HTTP/Authentication#the_general_http_authentication_framework\">General HTTP authentication framework</a>, which can be used with a number of <a href=\"/en-US/docs/Web/HTTP/Authentication#authentication_schemes\">authentication schemes</a>.\nEach challenge identifies a scheme supported by the server and additional parameters that are defined for that scheme type.</p>\n<p>A server using <a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a> will respond with a <a href=\"/en-US/docs/Web/HTTP/Status/401\"><code>401 Unauthorized</code></a> response to a request for a protected resource.\nThis response must include at least one <code>WWW-Authenticate</code> header and at least one challenge to indicate what authentication schemes can be used to access the resource and any additional data that each particular scheme needs.</p>\n<p>Multiple challenges are allowed in one <code>WWW-Authenticate</code> header, and multiple <code>WWW-Authenticate</code> headers are allowed in one response.\nA server may also include the <code>WWW-Authenticate</code> header in other response messages to indicate that supplying credentials might affect the response.</p>\n<p>After receiving the <code>WWW-Authenticate</code> header, a client will typically prompt the user for credentials, and then re-request the resource.\nThis new request uses the <a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a> header to supply the credentials to the server, encoded appropriately for the selected authentication method.\nThe client is expected to select the most secure of the challenges it understands (note that in some cases the \"most secure\" method is debatable).</p>\n<figure class=\"table-container\"><table class=\"properties\">\n <tbody>\n <tr>\n <th scope=\"row\">Header type</th>\n <td><a href=\"/en-US/docs/Glossary/Response_header\">Response header</a></td>\n </tr>\n <tr>\n <th scope=\"row\"><a href=\"/en-US/docs/Glossary/Forbidden_header_name\">Forbidden header name</a></th>\n <td>No</td>\n </tr>\n </tbody>\n</table></figure>"}},{"type":"prose","value":{"id":"syntax","title":"Syntax","isH3":false,"content":"<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>WWW-Authenticate: &lt;challenge&gt;\n</code></pre></div>\n<p>Where a <code>&lt;challenge&gt;</code> is comprised of an <code>&lt;auth-scheme&gt;</code>, followed by an optional <code>&lt;token68&gt;</code> or a comma-separated list of <code>&lt;auth-params&gt;</code>:</p>\n<pre class=\"brush: plain notranslate\">challenge = &lt;auth-scheme&gt; &lt;auth-param&gt;, …, &lt;auth-paramN&gt;\nchallenge = &lt;auth-scheme&gt; &lt;token68&gt;\n</pre>\n<p>For example:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>WWW-Authenticate: &lt;auth-scheme&gt;\nWWW-Authenticate: &lt;auth-scheme&gt; token68\nWWW-Authenticate: &lt;auth-scheme&gt; auth-param1=param-token1\nWWW-Authenticate: &lt;auth-scheme&gt; auth-param1=param-token1, …, auth-paramN=param-tokenN\n</code></pre></div>\n<p>The presence of a <code>token68</code> or authentication parameters depends on the selected <code>&lt;auth-scheme&gt;</code>.\nFor example, <a href=\"/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme\">Basic authentication</a> requires a <code>&lt;realm&gt;</code>, and allows for optional use of <code>charset</code> key, but does not support a <code>token68</code>:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>WWW-Authenticate: Basic realm=\"Dev\", charset=\"UTF-8\"\n</code></pre></div>\n<p>Multiple challenges can be sent in a comma-separated list</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>WWW-Authenticate: &lt;challenge&gt;, …, &lt;challengeN&gt;\n</code></pre></div>\n<p>Multiple headers can also be sent in a single response:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>WWW-Authenticate: &lt;challenge&gt;\nWWW-Authenticate: &lt;challengeN&gt;\n</code></pre></div>"}},{"type":"prose","value":{"id":"directives","title":"Directives","isH3":false,"content":"<dl>\n<dt id=\"auth-scheme\"><a href=\"#auth-scheme\"><code>&lt;auth-scheme&gt;</code></a></dt>\n<dd>\n<p>A case-insensitive token indicating the <a href=\"/en-US/docs/Web/HTTP/Authentication#authentication_schemes\">Authentication scheme</a> used.\nSome of the more common types are <a href=\"/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme\"><code>Basic</code></a>, <code>Digest</code>, <code>Negotiate</code> and <code>AWS4-HMAC-SHA256</code>.\nIANA maintains a <a href=\"https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml\" class=\"external\" target=\"_blank\">list of authentication schemes</a>, but there are other schemes offered by host services.</p>\n</dd>\n<dt id=\"auth-param\"><a href=\"#auth-param\"><code>&lt;auth-param&gt;</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>An authentication parameter whose format depends on the <code>&lt;auth-scheme&gt;</code>.\n<code>&lt;realm&gt;</code> is described below as it's a common authentication parameter among many auth schemes.</p>\n<dl>\n<dt id=\"realm\"><a href=\"#realm\"><code>&lt;realm&gt;</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>The string <code>realm</code> followed by <code>=</code> and a quoted string describing a protected area, for example <code>realm=\"staging environment\"</code>.\nA realm allows a server to partition the areas it protects (if supported by a scheme that allows such partitioning).\nSome clients show this value to the user to inform them about which particular credentials are required — though most browsers stopped doing so to counter phishing.\nThe only reliably supported character set for this value is <code>us-ascii</code>.\nIf no realm is specified, clients often display a formatted hostname instead.</p>\n</dd>\n</dl>\n</dd>\n<dt id=\"token68\"><a href=\"#token68\"><code>&lt;token68&gt;</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>A token that may be useful for some schemes.\nThe token allows the 66 unreserved URI characters plus a few others.\nIt can hold a <a href=\"/en-US/docs/Glossary/Base64\">base64</a>, base64url, base32, or base16 (hex) encoding, with or without padding, but excluding whitespace.\nThe token68 alternative to auth-param lists is supported for consistency with legacy authentication schemes.</p>\n</dd>\n</dl>\n<p>Generally, you will need to check the relevant specifications for the authentication parameters needed for each <code>&lt;auth-scheme&gt;</code>.\nThe following sections describe token and auth parameters for some common auth schemes.</p>"}},{"type":"prose","value":{"id":"basic_authentication_directives","title":"Basic authentication directives","isH3":true,"content":"<dl>\n<dt id=\"realm_2\"><a href=\"#realm_2\"><code>&lt;realm&gt;</code></a></dt>\n<dd>\n<p>A <code>&lt;realm&gt;</code> as <a href=\"#realm\">described above</a>.\nNote that the realm is mandatory for <code>Basic</code> authentication.</p>\n</dd>\n<dt id=\"charsetutf-8\"><a href=\"#charsetutf-8\"><code>charset=\"UTF-8\"</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>Tells the client the server's preferred encoding scheme when submitting a username and password.\nThe only allowed value is the case-insensitive string <code>UTF-8</code>.\nThis does not relate to the encoding of the realm string.</p>\n</dd>\n</dl>"}},{"type":"prose","value":{"id":"digest_authentication_directives","title":"Digest authentication directives","isH3":true,"content":"<dl>\n<dt id=\"realm_3\"><a href=\"#realm_3\"><code>&lt;realm&gt;</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>A <code>&lt;realm&gt;</code> as <a href=\"#realm\">described above</a> indicating which username/password to use.\nMinimally should include the host name, but might indicate the users or group that have access.</p>\n</dd>\n<dt id=\"domain\"><a href=\"#domain\"><code>domain</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>A quoted, space-separated list of URI prefixes that define all the locations where the authentication information may be used.\nIf this key is not specified then the authentication information may be used anywhere on the web root.</p>\n</dd>\n<dt id=\"nonce\"><a href=\"#nonce\"><code>nonce</code></a></dt>\n<dd>\n<p>A server-specified quoted string that the server can use to control the lifetime in which particular credentials will be considered valid.\nThis must be uniquely generated each time a 401 response is made, and may be regenerated more often (for example, allowing a digest to be used only once).\nThe specification contains advice on possible algorithms for generating this value.\nThe nonce value is opaque to the client.</p>\n</dd>\n<dt id=\"opaque\"><a href=\"#opaque\"><code>opaque</code></a></dt>\n<dd>\n<p>A server-specified quoted string that should be returned unchanged in the <a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a>.\nThis is opaque to the client. The server is recommended to include Base64 or hexadecimal data.</p>\n</dd>\n<dt id=\"stale\"><a href=\"#stale\"><code>stale</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>A case-insensitive flag indicating that the previous request from the client was rejected because the <code>nonce</code> used is too old (stale).\nIf this is <code>true</code> the request can be retried using the same username/password encrypted using the new <code>nonce</code>.\nIf it is any other value then the username/password are invalid and must be re-requested from the user.</p>\n</dd>\n<dt id=\"algorithm\"><a href=\"#algorithm\"><code>algorithm</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>A string indicating the algorithm used to produce a digest.\nValid non-session values are: <code>MD5</code> (default if <code>algorithm</code> not specified), <code>SHA-256</code>, <code>SHA-512</code>.\nValid session values are: <code>MD5-sess</code>, <code>SHA-256-sess</code>, <code>SHA-512-sess</code>.</p>\n</dd>\n<dt id=\"qop\"><a href=\"#qop\"><code>qop</code></a></dt>\n<dd>\n<p>Quoted string indicating the quality of protection supported by the server. This must be supplied, and unrecognized options must be ignored.</p>\n<ul>\n<li><code>\"auth\"</code>: Authentication</li>\n<li><code>\"auth-int\"</code>: Authentication with integrity protection</li>\n</ul>\n</dd>\n<dt id=\"charsetutf-8_2\"><a href=\"#charsetutf-8_2\"><code>charset=\"UTF-8\"</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>Tells the client the server's preferred encoding scheme when submitting a username and password.\nThe only allowed value is the case-insensitive string \"UTF-8\".</p>\n</dd>\n<dt id=\"userhash\"><a href=\"#userhash\"><code>userhash</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>A server may specify <code>\"true\"</code> to indicate that it supports username hashing (default is <code>\"false\"</code>)</p>\n</dd>\n</dl>"}},{"type":"prose","value":{"id":"http_origin-bound_authentication_hoba","title":"HTTP Origin-Bound Authentication (HOBA)","isH3":true,"content":"<dl>\n<dt id=\"challenge\"><a href=\"#challenge\"><code>&lt;challenge&gt;</code></a></dt>\n<dd>\n<p>A set of pairs in the format of <code>&lt;len&gt;:&lt;value&gt;</code> concatenated together to be given to a client.\nThe challenge is made of up a nonce, algorithm, origin, realm, key identifier, and the challenge.</p>\n</dd>\n<dt id=\"max-age\"><a href=\"#max-age\"><code>&lt;max-age&gt;</code></a></dt>\n<dd>\n<p>The number of seconds from the time the HTTP response is emitted for which responses to this challenge can be accepted.</p>\n</dd>\n<dt id=\"realm_4\"><a href=\"#realm_4\"><code>&lt;realm&gt;</code> <span class=\"badge inline optional\">Optional</span></a></dt>\n<dd>\n<p>As above in the <a href=\"#directives\">directives</a> section.</p>\n</dd>\n</dl>"}},{"type":"prose","value":{"id":"examples","title":"Examples","isH3":false,"content":""}},{"type":"prose","value":{"id":"issuing_multiple_authentication_challenges","title":"Issuing multiple authentication challenges","isH3":true,"content":"<p>Multiple challenges may be specified in a single response header:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>HTTP/1.1 401 Unauthorized\nWWW-Authenticate: challenge1, …, challengeN\n</code></pre></div>\n<p>Multiple challenges can be sent in separate <code>WWW-Authenticate</code> headers in the same response:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>HTTP/1.1 401 Unauthorized\nWWW-Authenticate: challenge1\nWWW-Authenticate: challengeN\n</code></pre></div>"}},{"type":"prose","value":{"id":"basic_authentication","title":"Basic authentication","isH3":true,"content":"<p>A server that only supports basic authentication might have a <code>WWW-Authenticate</code> response header which looks like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>HTTP/1.1 401 Unauthorized\nWWW-Authenticate: Basic realm=\"Staging server\", charset=\"UTF-8\"\n</code></pre></div>\n<p>A user-agent receiving this header would first prompt the user for their username and password, and then re-request the resource with the encoded credentials in the <code>Authorization</code> header.\nThe <code>Authorization</code> header might look like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l\n</code></pre></div>\n<p>For <code>Basic</code> authentication, the credentials are constructed by first combining the username and the password with a colon (<code>aladdin:opensesame</code>), and then by encoding the resulting string in <a href=\"/en-US/docs/Glossary/Base64\"><code>base64</code></a> (<code>YWxhZGRpbjpvcGVuc2VzYW1l</code>).</p>\n<div class=\"notecard note\">\n<p><strong>Note:</strong>\nSee also <a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a> for examples on how to configure Apache or Nginx servers to password protect your site with HTTP basic authentication.</p>\n</div>"}},{"type":"prose","value":{"id":"digest_authentication_with_sha-256_and_md5","title":"Digest authentication with SHA-256 and MD5","isH3":true,"content":"<div class=\"notecard note\">\n<p><strong>Note:</strong>\nThis example is taken from <a href=\"https://datatracker.ietf.org/doc/html/rfc7616\" class=\"external\" target=\"_blank\">RFC 7616</a> \"HTTP Digest Access Authentication\" (other examples in the specification show the use of <code>SHA-512</code>, <code>charset</code>, and <code>userhash</code>).</p>\n</div>\n<p>The client attempts to access a document at URI <code>http://www.example.org/dir/index.html</code> that is protected via digest authentication.\nThe username for this document is \"Mufasa\" and the password is \"Circle of Life\" (note the single space between each of the words).</p>\n<p>The first time the client requests the document, no <a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a> header field is sent.\nHere the server responds with an HTTP 401 message that includes a challenge for each digest algorithm it supports, in its order of preference (<code>SHA256</code> and then <code>MD5</code>)</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>HTTP/1.1 401 Unauthorized\nWWW-Authenticate: Digest\n realm=\"http-auth@example.org\",\n qop=\"auth, auth-int\",\n algorithm=SHA-256,\n nonce=\"7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v\",\n opaque=\"FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS\"\nWWW-Authenticate: Digest\n realm=\"http-auth@example.org\",\n qop=\"auth, auth-int\",\n algorithm=MD5,\n nonce=\"7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v\",\n opaque=\"FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS\"\n</code></pre></div>\n<p>The client prompts the user for their username and password, and then responds with a new request that encodes the credentials in the <a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a> header field.\nIf the client chose the MD5 digest the <a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a> header field might look as shown below:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Authorization: Digest username=\"Mufasa\",\n realm=\"http-auth@example.org\",\n uri=\"/dir/index.html\",\n algorithm=MD5,\n nonce=\"7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v\",\n nc=00000001,\n cnonce=\"f2/wE4q74E6zIJEtWaHKaf5wv/H5QzzpXusqGemxURZJ\",\n qop=auth,\n response=\"8ca523f5e9506fed4657c9700eebdbec\",\n opaque=\"FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS\"\n</code></pre></div>\n<p>If the client chose the SHA-256 digest the <a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a> header field might look as shown below:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Authorization: Digest username=\"Mufasa\",\n realm=\"http-auth@example.org\",\n uri=\"/dir/index.html\",\n algorithm=SHA-256,\n nonce=\"7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v\",\n nc=00000001,\n cnonce=\"f2/wE4q74E6zIJEtWaHKaf5wv/H5QzzpXusqGemxURZJ\",\n qop=auth,\n response=\"753927fa0e85d155564e2e272a28d1802ca10daf449\n 6794697cf8db5856cb6c1\",\n opaque=\"FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS\"\n</code></pre></div>"}},{"type":"prose","value":{"id":"hoba_authentication","title":"HOBA Authentication","isH3":true,"content":"<p>A server that supports HOBA authentication might have a <code>WWW-Authenticate</code> response header which looks like this:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>HTTP/1.1 401 Unauthorized\nWWW-Authenticate: HOBA max-age=\"180\", challenge=\"16:MTEyMzEyMzEyMw==1:028:https://www.example.com:80800:3:MTI48:NjgxNDdjOTctNDYxYi00MzEwLWJlOWItNGM3MDcyMzdhYjUz\"\n</code></pre></div>\n<p>The to-be-signed blob challenge is made from these parts: <code>www.example.com</code> using port 8080, the nonce is <code>1123123123</code>, the algorithm for signing is RSA-SHA256, the key identifier is <code>123</code>, and finally the challenge is <code>68147c97-461b-4310-be9b-4c707237ab53</code>.</p>\n<p>A client would receive this header, extract the challenge, sign it with their private key that corresponds to key identifier 123 in our example using RSA-SHA256, and then send the result in the <code>Authorization</code> header as a dot-separated key id, challenge, nonce, and signature.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Authorization: 123.16:MTEyMzEyMzEyMw==1:028:https://www.example.com:80800:3:MTI48:NjgxNDdjOTctNDYxYi00MzEwLWJlOWItNGM3MDcyMzdhYjUz.1123123123.&lt;signature-of-challenge&gt;\n</code></pre></div>"}},{"type":"specifications","value":{"id":"specifications","title":"Specifications","isH3":false,"specifications":[{"bcdSpecificationURL":"https://httpwg.org/specs/rfc9110.html#field.www-authenticate","title":"HTTP Semantics"}],"query":"http.headers.WWW-Authenticate"}},{"type":"browser_compatibility","value":{"id":"browser_compatibility","title":"Browser compatibility","isH3":false,"query":"http.headers.WWW-Authenticate"}},{"type":"prose","value":{"id":"see_also","title":"See also","isH3":false,"content":"<ul>\n<li><a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authorization\"><code>Proxy-Authorization</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate\"><code>Proxy-Authenticate</code></a></li>\n<li><a href=\"/en-US/docs/Web/HTTP/Status/401\"><code>401</code></a>, <a href=\"/en-US/docs/Web/HTTP/Status/403\"><code>403</code></a>, <a href=\"/en-US/docs/Web/HTTP/Status/407\"><code>407</code></a></li>\n</ul>"}}],"isActive":true,"isMarkdown":true,"isTranslated":false,"locale":"en-US","mdn_url":"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate","modified":"2024-12-09T16:05:46.000Z","native":"English (US)","noIndexing":false,"other_translations":[{"locale":"de","title":"WWW-Authenticate","native":"Deutsch"},{"locale":"es","title":"WWW-Authenticate","native":"Español"},{"locale":"fr","title":"WWW-Authenticate","native":"Français"},{"locale":"ja","title":"WWW-Authenticate","native":"日本語"},{"locale":"pt-BR","title":"WWW-Authenticate","native":"Português (do Brasil)"},{"locale":"zh-CN","title":"WWW-Authenticate","native":"中文 (简体)"}],"pageTitle":"WWW-Authenticate - HTTP | MDN","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/HTTP","title":"HTTP"},{"uri":"/en-US/docs/Web/HTTP/Headers","title":"Headers"},{"uri":"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate","title":"WWW-Authenticate"}],"popularity":null,"short_title":"WWW-Authenticate","sidebarHTML":"<ol><li class=\"section\"><a href=\"/en-US/docs/Web/HTTP\">HTTP</a></li><li class=\"section\">Guides</li><li><a href=\"/en-US/docs/Web/HTTP/Overview\">An overview of HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Session\">A typical HTTP session</a></li><li><a href=\"/en-US/docs/Web/HTTP/Messages\">HTTP messages</a></li><li><a href=\"/en-US/docs/Web/HTTP/MIME_types\">MIME types (IANA media types)</a></li><li><a href=\"/en-US/docs/Web/HTTP/Compression\">Compression in HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Caching\">HTTP caching</a></li><li><a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a></li><li><a href=\"/en-US/docs/Web/HTTP/Cookies\">Using HTTP cookies</a></li><li><a href=\"/en-US/docs/Web/HTTP/Redirections\">Redirections in HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Conditional_requests\">HTTP conditional requests</a></li><li><a href=\"/en-US/docs/Web/HTTP/Range_requests\">HTTP range requests</a></li><li><a href=\"/en-US/docs/Web/HTTP/Content_negotiation\">Content negotiation</a></li><li><a href=\"/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x\">Connection management in HTTP/1.x</a></li><li><a href=\"/en-US/docs/Web/HTTP/Evolution_of_HTTP\">Evolution of HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism\">Protocol upgrade mechanism</a></li><li><a href=\"/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling\">Proxy servers and tunneling</a></li><li><a href=\"/en-US/docs/Web/HTTP/Client_hints\">HTTP Client hints</a></li><li class=\"toggle\"><details><summary>Security and privacy</summary><ol><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical security implementation guides</a></li><li><a href=\"/en-US/observatory\">HTTP Observatory</a></li><li><a href=\"/en-US/docs/Web/HTTP/Permissions_Policy\">Permissions Policy</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/CSP\">Content Security Policy (CSP)</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS\">Cross-Origin Resource Sharing (CORS)</a></li><li><a href=\"/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy\">Cross-Origin Resource Policy (CORP)</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers\">Headers</a></li></ol></details></li><li class=\"section\">References</li><li class=\"toggle\"><details open=\"\"><summary>HTTP headers</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept\"><code>Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-CH\"><code>Accept-CH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Encoding\"><code>Accept-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Language\"><code>Accept-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Patch\"><code>Accept-Patch</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Post\"><code>Accept-Post</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Ranges\"><code>Accept-Ranges</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\"><code>Access-Control-Allow-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods\"><code>Access-Control-Allow-Methods</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers\"><code>Access-Control-Expose-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\"><code>Access-Control-Max-Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method\"><code>Access-Control-Request-Method</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Age\"><code>Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Allow\"><code>Allow</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Svc\"><code>Alt-Svc</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Used\"><code>Alt-Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible\"><code>Attribution-Reporting-Eligible</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source\"><code>Attribution-Reporting-Register-Source</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger\"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cache-Control\"><code>Cache-Control</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Clear-Site-Data\"><code>Clear-Site-Data</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Connection\"><code>Connection</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Digest\"><code>Content-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Disposition\"><code>Content-Disposition</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-DPR\"><code>Content-DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Encoding\"><code>Content-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Language\"><code>Content-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Length\"><code>Content-Length</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Location\"><code>Content-Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Range\"><code>Content-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Type\"><code>Content-Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cookie\"><code>Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Critical-CH\"><code>Critical-CH</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy\"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy\"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy\"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Date\"><code>Date</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Device-Memory\"><code>Device-Memory</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DNT\"><code>DNT</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Downlink\"><code>Downlink</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DPR\"><code>DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Early-Data\"><code>Early-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ECT\"><code>ECT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ETag\"><code>ETag</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect\"><code>Expect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect-CT\"><code>Expect-CT</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expires\"><code>Expires</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Forwarded\"><code>Forwarded</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/From\"><code>From</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Host\"><code>Host</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Match\"><code>If-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Modified-Since\"><code>If-Modified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-None-Match\"><code>If-None-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Range\"><code>If-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\"><code>If-Unmodified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Keep-Alive\"><code>Keep-Alive</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Last-Modified\"><code>Last-Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Link\"><code>Link</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Location\"><code>Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Max-Forwards\"><code>Max-Forwards</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/NEL\"><code>NEL</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/No-Vary-Search\"><code>No-Vary-Search</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics\"><code>Observe-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster\"><code>Origin-Agent-Cluster</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy\"><code>Permissions-Policy</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Pragma\"><code>Pragma</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Priority\"><code>Priority</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate\"><code>Proxy-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authorization\"><code>Proxy-Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Range\"><code>Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referer\"><code>Referer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referrer-Policy\"><code>Referrer-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Refresh\"><code>Refresh</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Report-To\"><code>Report-To</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints\"><code>Reporting-Endpoints</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Repr-Digest\"><code>Repr-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Retry-After\"><code>Retry-After</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/RTT\"><code>RTT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Save-Data\"><code>Save-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics\"><code>Sec-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme\"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion\"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency\"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA\"><code>Sec-CH-UA</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch\"><code>Sec-CH-UA-Arch</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness\"><code>Sec-CH-UA-Bitness</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version\"><code>Sec-CH-UA-Full-Version</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List\"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile\"><code>Sec-CH-UA-Mobile</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model\"><code>Sec-CH-UA-Model</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform\"><code>Sec-CH-UA-Platform</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version\"><code>Sec-CH-UA-Platform-Version</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest\"><code>Sec-Fetch-Dest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode\"><code>Sec-Fetch-Mode</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site\"><code>Sec-Fetch-Site</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User\"><code>Sec-Fetch-User</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-GPC\"><code>Sec-GPC</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Purpose\"><code>Sec-Purpose</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept\"><code>Sec-WebSocket-Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions\"><code>Sec-WebSocket-Extensions</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key\"><code>Sec-WebSocket-Key</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol\"><code>Sec-WebSocket-Protocol</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version\"><code>Sec-WebSocket-Version</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server\"><code>Server</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server-Timing\"><code>Server-Timing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker\"><code>Service-Worker</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker-Allowed\"><code>Service-Worker-Allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload\"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Cookie\"><code>Set-Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Login\"><code>Set-Login</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/SourceMap\"><code>SourceMap</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Speculation-Rules\"><code>Speculation-Rules</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\"><code>Strict-Transport-Security</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode\"><code>Supports-Loading-Mode</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/TE\"><code>TE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin\"><code>Timing-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Tk\"><code>Tk</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Trailer\"><code>Trailer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Transfer-Encoding\"><code>Transfer-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade\"><code>Upgrade</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests\"><code>Upgrade-Insecure-Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/User-Agent\"><code>User-Agent</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Vary\"><code>Vary</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Via\"><code>Via</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Viewport-Width\"><code>Viewport-Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Content-Digest\"><code>Want-Content-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest\"><code>Want-Repr-Digest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Warning\"><code>Warning</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Width\"><code>Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><em><a href=\"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate\" aria-current=\"page\"><code>WWW-Authenticate</code></a></em></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options\"><code>X-Content-Type-Options</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control\"><code>X-DNS-Prefetch-Control</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-For\"><code>X-Forwarded-For</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host\"><code>X-Forwarded-Host</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto\"><code>X-Forwarded-Proto</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Frame-Options\"><code>X-Frame-Options</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Permitted-Cross-Domain-Policies\"><code>X-Permitted-Cross-Domain-Policies</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Powered-By\"><code>X-Powered-By</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Robots-Tag\"><code>X-Robots-Tag</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-XSS-Protection\"><code>X-XSS-Protection</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li></ol></details></li><li class=\"toggle\"><details><summary>HTTP request methods</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Methods/CONNECT\"><code>CONNECT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/DELETE\"><code>DELETE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/GET\"><code>GET</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/HEAD\"><code>HEAD</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PATCH\"><code>PATCH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/POST\"><code>POST</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PUT\"><code>PUT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/TRACE\"><code>TRACE</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>HTTP response status codes</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Status/100\"><code>100 Continue</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/101\"><code>101 Switching Protocols</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/102\"><code>102 Processing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/103\"><code>103 Early Hints</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/200\"><code>200 OK</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/201\"><code>201 Created</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/202\"><code>202 Accepted</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/203\"><code>203 Non-Authoritative Information</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/204\"><code>204 No Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/205\"><code>205 Reset Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/206\"><code>206 Partial Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/207\"><code>207 Multi-Status</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/208\"><code>208 Already Reported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/226\"><code>226 IM Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/300\"><code>300 Multiple Choices</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/301\"><code>301 Moved Permanently</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/302\"><code>302 Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/303\"><code>303 See Other</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/304\"><code>304 Not Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/307\"><code>307 Temporary Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/308\"><code>308 Permanent Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/400\"><code>400 Bad Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/401\"><code>401 Unauthorized</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/402\"><code>402 Payment Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/403\"><code>403 Forbidden</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/404\"><code>404 Not Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/405\"><code>405 Method Not Allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/406\"><code>406 Not Acceptable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/407\"><code>407 Proxy Authentication Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/408\"><code>408 Request Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/409\"><code>409 Conflict</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/410\"><code>410 Gone</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/411\"><code>411 Length Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/412\"><code>412 Precondition Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/413\"><code>413 Content Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/414\"><code>414 URI Too Long</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/415\"><code>415 Unsupported Media Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/416\"><code>416 Range Not Satisfiable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/417\"><code>417 Expectation Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/418\"><code>418 I'm a teapot</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/421\"><code>421 Misdirected Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/422\"><code>422 Unprocessable Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/423\"><code>423 Locked</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/424\"><code>424 Failed Dependency</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/425\"><code>425 Too Early</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/426\"><code>426 Upgrade Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/428\"><code>428 Precondition Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/429\"><code>429 Too Many Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/431\"><code>431 Request Header Fields Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/451\"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/500\"><code>500 Internal Server Error</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/501\"><code>501 Not Implemented</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/502\"><code>502 Bad Gateway</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/503\"><code>503 Service Unavailable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/504\"><code>504 Gateway Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/505\"><code>505 HTTP Version Not Supported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/506\"><code>506 Variant Also Negotiates</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/507\"><code>507 Insufficient Storage</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/508\"><code>508 Loop Detected</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/510\"><code>510 Not Extended</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/511\"><code>511 Network Authentication Required</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>CSP directives</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri\"><code>CSP: base-uri</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content\"><code>CSP: block-all-mixed-content</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src\"><code>CSP: child-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src\"><code>CSP: connect-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>CSP: default-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src\"><code>CSP: fenced-frame-src</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src\"><code>CSP: font-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action\"><code>CSP: form-action</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>CSP: frame-ancestors</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src\"><code>CSP: frame-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src\"><code>CSP: img-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src\"><code>CSP: manifest-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src\"><code>CSP: media-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>CSP: object-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src\"><code>CSP: prefetch-src</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>CSP: report-to</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri\"><code>CSP: report-uri</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n<span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for\"><code>CSP: require-trusted-types-for</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox\"><code>CSP: sandbox</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>CSP: script-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr\"><code>CSP: script-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem\"><code>CSP: script-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src\"><code>CSP: style-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr\"><code>CSP: style-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem\"><code>CSP: style-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types\"><code>CSP: trusted-types</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests\"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src\"><code>CSP: worker-src</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>CORS errors</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled\"><code>Reason: CORS disabled</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin\"><code>Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin\"><code>Reason: CORS header 'Access-Control-Allow-Origin' missing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded\"><code>Reason: CORS header 'Origin' cannot be added</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed\"><code>Reason: CORS preflight channel did not succeed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed\"><code>Reason: CORS request did not succeed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed\"><code>Reason: CORS request external redirect not allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp\"><code>Reason: CORS request not HTTP</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\"><code>Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound\"><code>Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials\"><code>Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader\"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod\"><code>Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight\"><code>Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed\"><code>Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</code></a></li></ol></details></li><li class=\"toggle\"><details><summary>Permissions-Policy directives</summary><ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer\"><code>Permissions-Policy: accelerometer</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor\"><code>Permissions-Policy: ambient-light-sensor</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting\"><code>Permissions-Policy: attribution-reporting</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay\"><code>Permissions-Policy: autoplay</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth\"><code>Permissions-Policy: bluetooth</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics\"><code>Permissions-Policy: browsing-topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n<span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera\"><code>Permissions-Policy: camera</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure\"><code>Permissions-Policy: compute-pressure</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/cross-origin-isolated\"><code>Permissions-Policy: cross-origin-isolated</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture\"><code>Permissions-Policy: display-capture</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain\"><code>Permissions-Policy: document-domain</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media\"><code>Permissions-Policy: encrypted-media</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen\"><code>Permissions-Policy: fullscreen</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad\"><code>Permissions-Policy: gamepad</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation\"><code>Permissions-Policy: geolocation</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope\"><code>Permissions-Policy: gyroscope</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid\"><code>Permissions-Policy: hid</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get\"><code>Permissions-Policy: identity-credentials-get</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection\"><code>Permissions-Policy: idle-detection</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts\"><code>Permissions-Policy: local-fonts</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer\"><code>Permissions-Policy: magnetometer</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone\"><code>Permissions-Policy: microphone</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi\"><code>Permissions-Policy: midi</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials\"><code>Permissions-Policy: otp-credentials</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment\"><code>Permissions-Policy: payment</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture\"><code>Permissions-Policy: picture-in-picture</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create\"><code>Permissions-Policy: publickey-credentials-create</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get\"><code>Permissions-Policy: publickey-credentials-get</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock\"><code>Permissions-Policy: screen-wake-lock</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial\"><code>Permissions-Policy: serial</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection\"><code>Permissions-Policy: speaker-selection</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access\"><code>Permissions-Policy: storage-access</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb\"><code>Permissions-Policy: usb</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share\"><code>Permissions-Policy: web-share</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management\"><code>Permissions-Policy: window-management</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking\"><code>Permissions-Policy: xr-spatial-tracking</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n<span class=\"visually-hidden\">Experimental</span>\n</abbr></li></ol></details></li><li><a href=\"/en-US/docs/Web/HTTP/Resources_and_specifications\">HTTP resources and specifications</a></li></ol>","source":{"folder":"en-us/web/http/headers/www-authenticate","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/www-authenticate/index.md","last_commit_url":"https://github.com/mdn/content/commit/ed041385cf874deec203e820fd415bdcd6f98a19","filename":"index.md"},"summary":"The HTTP WWW-Authenticate response header advertises the HTTP authentication methods (or challenges) that might be used to gain access to a specific resource.","title":"WWW-Authenticate","toc":[{"text":"Syntax","id":"syntax"},{"text":"Directives","id":"directives"},{"text":"Examples","id":"examples"},{"text":"Specifications","id":"specifications"},{"text":"Browser compatibility","id":"browser_compatibility"},{"text":"See also","id":"see_also"}],"baseline":{"baseline":"high","baseline_low_date":"2015-07-29","baseline_high_date":"2018-01-29","support":{"chrome":"1","chrome_android":"18","edge":"12","firefox":"1","firefox_android":"4","safari":"1","safari_ios":"1"},"asterisk":true},"browserCompat":["http.headers.WWW-Authenticate"],"pageType":"http-header"}}</script></body></html>