🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Proxy Authenticate

HTTP Header

The HTTP Proxy-Authenticate response header specifies the authentication method or challenge that must be used to access a resource behind a proxy server.
It is included in a 407 Proxy Authentication Required response, allowing the client to identify and respond to the proxy’s authentication requirements.

Syntax

A comma-separated list of one or more authentication challenges:

Proxy-Authenticate: <challenge>

Where a <challenge> consists of an <auth-scheme>, optionally followed by a <token68> or a list of <auth-params> separated by commas:

challenge = <auth-scheme> <auth-param>, …, <auth-paramN> 
challenge = <auth-scheme> <token68>

For example:

http
Proxy-Authenticate: &lt;auth-scheme&gt; 
Proxy-Authenticate: &lt;auth-scheme&gt; token68
Proxy-Authenticate: &lt;auth-scheme&gt; auth-param1=param-token1
Proxy-Authenticate: &lt;auth-scheme&gt; auth-param1=param-token1, …, auth-paramN=param-tokenN

The inclusion of a token68 or authentication parameters depends on the specific <auth-scheme> in use.
For example, Basic authentication requires a <realm> and optionally accepts a charset, but does not support a token68:

http
Proxy-Authenticate: Basic realm="Dev", charset="UTF-8"

Directives

<auth-scheme>

A case-insensitive token indicating the Authentication scheme used.
Some of the more common types are Basic, Digest, Negotiate and AWS4-HMAC-SHA256.
IANA maintains a list of authentication schemes, but there are other schemes offered by host services.

<auth-param> Optional

An authentication parameter whose format depends on the <auth-scheme>.
<realm> is described below as it’s a common authentication parameter among many auth schemes.

<realm> Optional

The string realm followed by = and a quoted string describing a protected area, for example realm="staging environment".
A realm allows a server to partition the areas it protects (if supported by a scheme that allows such partitioning).
Some clients show this value to the user to inform them about which particular credentials are required — though most browsers stopped doing so to counter phishing.
The only reliably supported character set for this value is us-ascii.
If no realm is specified, clients often display a formatted hostname instead.

<token68> Optional

A token that may be useful for some schemes.
The token allows the 66 unreserved URI characters plus a few others.
It can hold a base64, base64url, base32, or base16 (hex) encoding, with or without padding, but excluding whitespace.
The token68 alternative to auth-param lists is supported for consistency with legacy authentication schemes.

Generally, you will need to check the relevant specifications for the authentication parameters needed for each <auth-scheme>.

Example

Proxy-Authenticate Basic auth

The following response indicates that a Basic authentication scheme is required with a designated realm:

http
Proxy-Authenticate: Basic realm="Staging server"

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Proxy-Authenticate header. This can be crucial for debugging proxy authentication issues or testing how your application handles various proxy authentication challenges. Steps to Modify the Proxy-Authenticate Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Proxy-Authenticate.
    • In the “Header Value” field, enter the desired authentication scheme and parameters (e.g., Basic realm=”Example”).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-proxy-server.com/*).
  5. Save the rule.

Once configured, Requestly will modify the Proxy-Authenticate header in all matching requests, helping you test and troubleshoot proxy authentication behaviors effectively.

You might need to modify the Proxy-Authenticate header to simulate different authentication challenges from a proxy server. This helps developers ensure that their applications handle proxy authentication correctly and improves the debugging process when proxy issues arise.