407 Proxy Authentication Required
The client must first authenticate itself with the proxy.
Usually happens because:
- ☑ Corporate network gateway proxy filters
- ☑ Missing or invalid 'Proxy-Authorization' headers.
🔍 Quick Checklist:
Meaning
The HTTP 407 Proxy Authentication Required client error status code indicates that the request has not been applied because the client needs to provide authentication credentials to access internet resources through a proxy server.
Root Causes
- Corporate network gateway proxy filters restricting external internet access.
- Missing or invalid 'Proxy-Authorization' headers.
| Cause | Frequency |
|---|---|
| Corporate network gateway proxy filters | ⭐⭐⭐⭐⭐ |
| Missing or invalid 'Proxy-Authorization' headers. | ⭐⭐⭐⭐ |
Common Mistakes
- Confusing 407 with 401 (use 401 for origin server auth, 407 exclusively for intermediate proxy gateways).
- Omitting the 'Proxy-Authenticate' header field in the 407 response.
How to Fix
Framework-Specific Examples
Express middleware validating Proxy-Authorization.
app.use((req, res, next) => {
const proxyAuth = req.headers['proxy-authorization'];
if (!proxyAuth) {
return res.status(407).set('Proxy-Authenticate', 'Basic').end();
}
next();
});Server Configuration Examples
Configuring forward proxy authorization logic.
# Nginx forward proxy basic authentication modulesPrevention
- Ensure corporate clients are provisioned with automated proxy credential management files (PAC).
Frequently Asked Questions (FAQ)
Q: What is the difference between 401 and 407?
401 represents authentication required by the origin server hosting the website. 407 represents authentication required by an intermediate proxy server (e.g. corporate gateway) before forwarding traffic.
Q: Which headers are used for proxy authentication?
The server returns 'Proxy-Authenticate' in 407 responses. The client follows up by sending credentials in the 'Proxy-Authorization' request header.
Q: Does 407 trigger browser dialog boxes?
Yes. If the proxy returns 'Proxy-Authenticate: Basic...', browsers will prompt users to authenticate with the proxy.
Q: How do CLI tools (like curl) handle proxy authentication?
You must specify credentials using command options, such as `curl -x proxy:port -U username:password url`.