What is a 401 Error?

The HTTP 401 error, also known as “Unauthorized,” is a status code that informs the client that the request lacks valid authentication credentials or the provided credentials are insufficient to access the requested resource. When a client receives a 401 error, it means that the server requires authentication before granting access to the resource, and the client hasn’t provided the necessary credentials.

Now, let’s explore the two primary causes of HTTP 401 error: StackProtect and HTTP authentication.

StackProtect: Protecting Against Bots

StackProtect is part of our security software and operates similarly to popular services like Cloudflare. Its primary function is to safeguard websites and online services from automated bots and unauthorized access. One of the techniques StackProtect employs is presenting users with a CAPTCHA challenge.

When StackProtect detects suspicious activity, such as “bot-like” behaviour or access attempts from a known-bad IP address or user agent, it can trigger a CAPTCHA challenge for the client. The CAPTCHA is a test designed to differentiate between human users and automated bots. If the user fails to pass this test, the server may return an HTTP 401 error. In this scenario, the client must prove its human identity by successfully completing the CAPTCHA to gain access.

HTTP Auth: Protecting Against Invalid User Credentials

HTTP authentication is a mechanism for clients to provide valid credentials to access protected resources on a server. There are different methods of HTTP authentication, such as Basic Authentication, Digest Authentication, and Bearer Token Authentication. The server relies on these credentials to verify the client’s identity and determine whether access should be granted.

The most common cause of an HTTP 401 error in the context of HTTP auth is when the client provides incorrect or missing authentication credentials. This could be due to a typo in the username or password, or the client failing to include the required authentication headers in the request.

Another cause of an HTTP 401 error in the context of HTTP auth is expired credentials. Authentication credentials often have a limited validity period. If the client uses expired credentials, the server will respond with a 401 error, signalling the need to reauthenticate and obtain fresh credentials.

Resolving HTTP 401 Errors

If users are continuously seeing the StackProtect page or if a particular bot is being blocked from accessing the site, please raise a support ticket and our support team can provide further advice on whitelisting access or disabling StackProtect for the package.

If users are failing to authenticate against the site, then you should ensure that the login credentials being used are correct. HTTP authentication is commonly set up using the .htaccess and .htpasswd files, so these can be checked to change or disable the authentication mechanism.

Our support team are happy to help with the process of finding where the authentication prompt may be coming from.