3.1.5 Message Processing Events and Sequencing Rules

The WWW-Authenticate header is only sent from the server. The Authorization header is only sent by the client. (For details, see [RFC2617] and also see [RFC2616] sections 14.47 and 14.8.) Clients, servers, and proxies MUST be compliant with [RFC2617] and [RFC2616].

The Proxy-Authenticate header is only sent from the proxy. The Proxy-Authorization header is only sent by the client. (For more information, see [RFC2617] and [RFC2616] sections 14.33 and 14.34.) Clients, servers, and proxies MUST be compliant with [RFC2617] and [RFC2616].