If a (proxy) server receives
invalid
credentials, it should respond with a
401
Unauthorized
or with a
407
Proxy Authentication Required
, and the user may send a new request or replace the
Authorization
header field.
If a (proxy) server receives valid credentials that are
inadequate
to access a given resource, the server should respond with the
403
Forbidden
status code. Unlike
401
Unauthorized
or
407
Proxy Authentication Required
, authentication is impossible for this user and browsers will not propose a new attempt.
In all cases, the server may prefer returning a
404
Not Found
status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated.