3.3.5 Message Processing Events and Sequencing Rules
The WWW-Authenticate header is only sent from the server. The Authorization header is only sent by the client. (For more information, see [RFC2617] and [RFC2616] section 14.47.) Servers MUST be compliant with [RFC2617] and [RFC2616].
The Proxy-Authenticate header is only sent from the proxy. The Proxy-Authorization header is only sent by the client. (For more information, see [RFC2617] and [RFC2616] sections 14.33 and 14.34.) Servers MUST be compliant with [RFC2617] and [RFC2616].