Proxy-Authenticate
Description
The Proxy-Authenticate response header specifies the authentication method that should be used to gain access to a resource behind a proxy server. This header is sent by a proxy server when it requires authentication, typically in response to a request with a 407 Proxy Authentication Required status code.
When a client makes a request through a proxy that requires authentication, the proxy responds with a 407 status and includes the Proxy-Authenticate header to inform the client about the authentication scheme(s) that can be used. The client must then make a new request with the appropriate credentials provided in the Proxy-Authorization request header.
The Proxy-Authenticate header is similar to the WWW-Authenticate header, but while WWW-Authenticate is used by origin servers to protect their resources, Proxy-Authenticate is used by proxy servers to protect access to the network or resources beyond the proxy.
Syntax
The syntax of the Proxy-Authenticate header follows this structure:
<auth-scheme>: The authentication scheme (e.g.,Basic,Digest,Bearer).realm=<realm>: Optional parameter defining the protection space or "realm".charset="UTF-8": Optional parameter indicating the character encoding for the credentials.<auth-param>: Optional additional authentication parameters specific to the authentication scheme.
Example Syntax
This example indicates that Basic authentication is required to access the proxy, with the realm "Proxy Server".
Examples
Basic Authentication Example
A proxy requiring Basic authentication:
HTTP/1.1 407 Proxy Authentication Required
Date: Mon, 02 Jun 2025 15:00:00 GMT
Proxy-Authenticate: Basic realm="Corporate Proxy"
Content-Type: text/html
Content-Length: 345
<html>
<head><title>407 Proxy Authentication Required</title></head>
<body>
<h1>Proxy Authentication Required</h1>
<p>This proxy requires authentication to access the requested resource.</p>
</body>
</html>
Client's subsequent request with authentication:
GET http://example.com/ HTTP/1.1
Host: example.com
Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Digest Authentication Example
A proxy requiring Digest authentication:
HTTP/1.1 407 Proxy Authentication Required
Date: Mon, 02 Jun 2025 15:10:30 GMT
Proxy-Authenticate: Digest realm="Corporate Proxy", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"
Content-Type: text/html
Content-Length: 345
<html>
<head><title>407 Proxy Authentication Required</title></head>
<body>
<h1>Proxy Authentication Required</h1>
<p>This proxy requires authentication to access the requested resource.</p>
</body>
</html>
Client's subsequent request with authentication:
GET http://example.com/ HTTP/1.1
Host: example.com
Proxy-Authorization: Digest username="user", realm="Corporate Proxy", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"
Multiple Authentication Schemes Example
A proxy offering multiple authentication options:
HTTP/1.1 407 Proxy Authentication Required
Date: Mon, 02 Jun 2025 15:20:45 GMT
Proxy-Authenticate: Basic realm="Corporate Proxy"
Proxy-Authenticate: Digest realm="Corporate Proxy", qop="auth", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"
Proxy-Authenticate: Bearer realm="Corporate Proxy"
Content-Type: text/html
Content-Length: 345
<html>
<head><title>407 Proxy Authentication Required</title></head>
<body>
<h1>Proxy Authentication Required</h1>
<p>This proxy requires authentication to access the requested resource.</p>
</body>
</html>
In this example, the proxy offers three different authentication schemes: Basic, Digest, and Bearer. The client can choose any of these methods for authentication.
Summary
The Proxy-Authenticate response header is a critical component of proxy authentication systems, informing clients about the authentication methods required to access resources through a proxy server. When a proxy responds with a 407 Proxy Authentication Required status, this header provides the necessary information for clients to construct a proper authentication request. Understanding this header is essential for developers working in environments where proxy servers are used to control access to networks or resources, particularly in corporate settings where authenticated proxies are common for security and monitoring purposes.