HTTP 407 Proxy Authentication Required
HTTP 407 Proxy Authentication Required is like 401, but the authentication is demanded by a proxy between the client and the server rather than by the origin. The proxy returns a Proxy-Authenticate header describing the challenge, and the client must resend with Proxy-Authorization. It almost never originates from your own web server, so seeing it usually points at network or proxy configuration rather than your site.
What 407 means
407 Proxy Authentication Required is defined in RFC 9110. It mirrors 401 Unauthorized, but the entity demanding credentials is a proxy server sitting between the client and the origin. The proxy must send a Proxy-Authenticate header stating the authentication scheme and realm, and the client retries with a Proxy-Authorization header.
The key distinction from 401 is the layer: 401 is your origin asking for credentials; 407 is an intermediary asking. The two use different header pairs precisely so the credentials reach the right hop.
Why it matters for crawling
Public web crawlers normally connect directly to your origin and do not pass through an authenticating proxy, so a well-behaved search crawler should not encounter a 407 from your infrastructure. If 407s appear in monitoring, they usually come from a forward proxy, a corporate gateway, or a misconfigured outbound proxy on the client side.
When you investigate a 407, look at the network path rather than your application. Confirm whether the request even reached your origin; often it did not.
- 407 = proxy demands auth; 401 = origin demands auth
- Uses Proxy-Authenticate / Proxy-Authorization headers
- Public crawlers should not hit a 407 from a direct origin
How it appears in analytics and logs
A 407 means a proxy in the path required authentication and the request did not satisfy it. The request never authenticated past the proxy, so your origin may not have seen it at all. It is a network-path signal, not usually an origin-content signal.
Diagnostic use case
Distinguish a 407 raised by an intermediary proxy from a 401 raised by your origin, so you debug the right layer when crawlers or monitors report it.
What WebmasterID can help detect
WebmasterID records the status codes observed for traffic to your site, helping you tell apart origin-level auth issues (401/403) from proxy-path issues (407) when investigating crawler access problems.
Common mistakes
- Confusing 407 with 401 and debugging the origin when the proxy is the gatekeeper.
- Assuming your server emitted the 407 when an intermediary proxy did.
- Looking for the WWW-Authenticate header on a 407 — it uses Proxy-Authenticate instead.
Privacy and accuracy notes
A 407 concerns proxy credentials, not visitor identity. WebmasterID records the status a request received without storing proxy credentials or linking the event to a person.
Related pages
- HTTP 401 Unauthorized and crawling
401 Unauthorized means the request lacks valid authentication credentials for the resource. Crawlers do not log in, so a page behind a 401 cannot be fetched or indexed. Seeing 401s for content you intended to be public usually means an auth layer is misconfigured or applied too broadly.
- HTTP 403 Forbidden and blocked crawlers
403 Forbidden means the server understood the request but refuses to authorize it, and authenticating will not help. For crawlers, a 403 often signals over-blocking — a WAF, bot-management rule, or IP filter rejecting legitimate crawlers and quietly removing pages from being indexed.
- Diagnosing a blocked crawler
When a crawler is not reaching your pages, the block can come from several layers: a robots.txt Disallow, a server-side 403, a WAF or bot-management rule, or an IP filter. Confirming which layer is responsible — rather than guessing — is the key to fixing it without opening doors you meant to keep shut.
- Website observability
Separate origin-level from network-path status codes when diagnosing access, recorded server-side.
Sources and verification notes
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.