Unauthorized

Official Substatus codes

The request was unauthorized

Specification of the HTTP status code 401

The 401 Unauthorized status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 Unauthorized response MUST send a WWW-Authenticate header field containing at least one challenge applicable to the target resource. If the request included authentication credentials, then the 401 Unauthorized response indicates that authorization has been refused for those credentials. The user agent MAY repeat the request with a new or replaced Authorization header field. If the 401 Unauthorized response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user agent SHOULD present the enclosed representation to the user, since it usually contains relevant diagnostic information.

Source / Quote by: The 401 Unauthorized HTTP Status Code is specified by section 3.1 of RFC7235.

HTTP-Protocol

How to throw a 401 statuscode with PHP?

To throw the HTTP status code 401 on a web page, the PHP function http_response_code can be used. The syntax is as follows: http_response_code(401) (PHP 5 >= 5.4.0, PHP 7, PHP 8)

Test the 401 HTTP status code

http-statuscode.com (Test Status code 401)

httpstat.us (Test Status code 401)

In order to be able to display the HTTP status code (in this case 401 Unauthorized) and other information on the client side, the development console must be opened with F12. Afterwards you have to navigate to the tab "Network". Now you can open the page, in the network tab you should see the web page (example index.php). This must be selected and then the Herder section must be selected. Here the user will see the following result:

Overview
URL: https://http-statuscode.com/errorCodeExample.php?code=401
Status: 401 Unauthorized
Those: Network
IP address: XX.XX.XX.XX

How to create a custom error page for the 401 status code

Creating your own 401 Unauthorized error page is relatively easy with the web server "Apache" as well as with the web server "NGINX".

Apache Webserver

The web server "Apache" is one of the most popular web servers on the Internet. To create an own 401 Unauthorized error page in "Apache", the following change must be made in the following file.

File: .htaccess

ErrorDocument 401 /errors/401.html

NGINX Webserver

Similar to the web server "Apache", "NGINX" is also widely used on the Internet. To create your own 401 Unauthorized error page in "NGINX", the following change must be made in the following file.

File: sites-enabled/default

error_page 401 /401.html;
location = /401.html {
root /usr/share/nginx/html;
internal;
}

Browser compatibility of the 401 status code

Chrome	Yes
Edge	Yes
Firefox	Yes
Opera	Yes
Safari	Yes
Chrome Android	Yes
Firefox for Android	Yes
Opera Android	Yes
Safari on iOS	Yes
Internet	Yes
WebView Android	Yes

Constants in programming languages

Microsoft Windows Runtime:

HttpStatusCode.Unauthorized

Go (Golang):

http.StatusUnauthorized

Symfony:

Response::HTTP_UNAUTHORIZED

Python2:

httplib.UNAUTHORIZED

Python3:

http.client.UNAUTHORIZED

Python3.5:

http.HTTPStatus.UNAUTHORIZED

Ruby on Rails:

:unauthorized

Sub status codes of the 401 status code

Sub status codes are purely technical, and should never be sent to the user. For example, if status code 401.1 is thrown, it may be logged, but status code 401 will be sent to the user.:

401.1	Logon failed HTTP IIS, Unofficial
401.2	Logon failed due to server configuration HTTP IIS, Unofficial
401.3	Unauthorized due to ACL on resource HTTP IIS, Unofficial
401.4	Authorization failed by filter HTTP IIS, Unofficial
401.5	Authorization failed by ISAPI/CGI application HTTP IIS, Unofficial
401.501	Access Denied: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached. HTTP IIS, Unofficial
401.502	Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Maximum request rate limit reached. HTTP IIS, Unofficial
401.503	Access Denied: the IP address is included in the Deny list of IP Restriction HTTP IIS, Unofficial
401.504	Access Denied: the host name is included in the Deny list of IP Restriction HTTP IIS, Unofficial

External links with more information about HTTP status code 401:

developer.mozilla.org (Status code 401)

en.wikipedia.org (Status code 401)

httpwg.org (HTTP Semantics Status code 401)

Funny memes about HTTP status code 401

🐕 Dog Memes (Status code 401)

🐈 Cat Memes (Status code 401)

Blog Articles

Protection against attacks through the xmlrpc.php file in WordPress

Section 1: What is the xmlrpc.php file and where is it foundThe xmlrpc.php file is an important component in WordPress, one of the world's leading content management systems (CMS) for creating and ...

Author: Tony Brüser

Tony Brüser is an enthusiastic web developer with a penchant for HTTP status codes.

LinkedIn GitHub