The current default behavior, responding with the status code 401 without the WWW-Authenticate header field, violates RFC 9110. Do you have any particular reasons for the decision on the default behavior that is not RFC-compliant?
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 11.6.1) containing at least one challenge applicable to the target resource.
https://github.com/LionC/express-basic-auth/blob/dd17b4de9fee9558269cdc583310bde5331456e7/README.md?plain=1#L137-L140
https://github.com/LionC/express-basic-auth/blob/dd17b4de9fee9558269cdc583310bde5331456e7/index.js#L66-L75
The current default behavior, responding with the status code 401 without the
WWW-Authenticate
header field, violates RFC 9110. Do you have any particular reasons for the decision on the default behavior that is not RFC-compliant?Suggestion
I suggest changing this line
https://github.com/LionC/express-basic-auth/blob/dd17b4de9fee9558269cdc583310bde5331456e7/index.js#L30
to
, and accordingly the documentation as well.