The Proxy-Authenticate response header is used by a Proxy to secure access to it by the next outline Client in the response chain.
| protocol | HTTP Header |
| type | Response Header |
| Mozilla link | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate |
| RFC | RFC7235 |
The Proxy-Authenticate header consists one or more challenges that indicates the authentication scheme(s) and parameters applicable to the proxy for the requested URI. The header will accompany a 407 (Proxy Authentication Required) response code. Importantly, the Proxy-Authenticate header (see WWW-Authenticate by way of contrast) applies to the next outbound Client in the response chain only, that is, only the first client encountered will respond to the request and will not proxy the header*.
*It is assumed that the only Client capable of responding to this request satisfactorily is the first Client in the response chain before the proxy as it has elected the proxy and is likely the only part to have the credentials.
Proxy-Authenticate = "Proxy-Authenticate" ":" 1#challenge
Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the next outbound client on the response chain. This is because only the client that chose a given proxy is likely to have the credentials necessary for authentication. However, when multiple proxies are used within the same administrative domain, such as office and regional caching proxies within a large corporate network, it is common for credentials to be generated by the user agent and passed through the hierarchy until consumed. Hence, in such a configuration, it will appear as if Proxy-Authenticate is being forwarded because each proxy will send the same challenge set. Note that the parsing considerations for WWW-Authenticate apply to this header field as well; see Section 4.1 for details.
WWW-Authenticate
Authorization
Proxy-Authorization
Example Proxy-Authenticate headers commonly found on the internet.
Proxy-Authenticate: Basic
Proxy-Authenticate: Basic realm="Access to the internal site"
Unless there is a specific reason to populate this header it should be avoided.