HTTP 511 Network Authentication Required
HTTP 511 Network Authentication Required, from RFC 6585, is intended for use by intercepting proxies — captive portals — that need the client to authenticate before granting network access. It is deliberately not meant to be sent by origin servers. Its purpose is to give clients a machine-detectable signal that they are behind a captive portal rather than talking to the real site.
What 511 means
511 Network Authentication Required, defined in RFC 6585, is designed for captive portals — the login pages a network intercepts you with on public Wi-Fi before granting access. The RFC is explicit that 511 is not intended to be generated by origin servers; it is for the intercepting network element.
The value of the code is that it is machine-detectable: a client receiving 511 can recognise it is behind a captive portal and surface the login flow, rather than mistaking the portal page for the real requested resource.
Why it matters and caching caveats
Before 511 existed, captive portals would often return a 200 with their login HTML in place of the real site, which clients and caches could mistake for genuine content. 511 solves this by clearly signalling interception.
For crawling, a public search crawler connecting directly to your origin should never receive a 511, because it is not behind a captive portal. If a 511 appears, the client was on an intercepting network. Responses to a 511 must not be cached as if they came from the origin, to avoid poisoning a cache with portal content.
- For captive portals, not origin servers (RFC 6585)
- Machine-detectable signal that you are behind a portal
- Do not cache 511 responses as origin content
How it appears in analytics and logs
A 511 means an intervening network requires authentication before it will route traffic. The response did not come from your origin; the client never reached you. It is a network-access signal, not an indexing signal for your pages.
Diagnostic use case
Recognise a 511 as a captive-portal interception, not your origin, and ensure such intercepted responses are never cached or mistaken for your real content.
What WebmasterID can help detect
WebmasterID records status codes observed for traffic, helping you recognise captive-portal interception (511) so it is not confused with origin-level errors when diagnosing access.
Common mistakes
- Emitting 511 from an origin server — the RFC reserves it for intercepting proxies.
- Caching a captive-portal page as if it were the real site (the problem 511 was created to fix).
- Confusing 511 with 401/407 origin or proxy authentication.
Privacy and accuracy notes
A 511 concerns network access control, not visitor identity. WebmasterID records the status without storing portal credentials or linking the event to a person.
Related pages
- HTTP 401 Unauthorized and crawling
401 Unauthorized means the request lacks valid authentication credentials for the resource. Crawlers do not log in, so a page behind a 401 cannot be fetched or indexed. Seeing 401s for content you intended to be public usually means an auth layer is misconfigured or applied too broadly.
- HTTP 407 Proxy Authentication Required
HTTP 407 Proxy Authentication Required is like 401, but the authentication is demanded by a proxy between the client and the server rather than by the origin. The proxy returns a Proxy-Authenticate header describing the challenge, and the client must resend with Proxy-Authorization. It almost never originates from your own web server, so seeing it usually points at network or proxy configuration rather than your site.
- HTTP 510 Not Extended
HTTP 510 Not Extended comes from RFC 2774, an experimental specification for an HTTP extension framework. It signals that the server requires further extensions to the request before it will fulfil it. The mechanism saw little adoption, so 510 is rare in practice. As a 5xx code, crawlers treat it as a server error and will not index the URL while it persists.
- Website observability
Tell captive-portal interception apart from origin errors, recorded server-side.
Sources and verification notes
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.