Bug fixed: Password protected sites returning wrong status code

tldr: We just fixed a bug around password protected sites returning http status 200 instead of 401

The feature

If you want to restrict access to your whole site (all paths) you can enable password protection (in Pro plan and above).
This will make your site show a password prompt when people are visiting for the first time in their session.

The bug

Until today those password prompt pages (or if someone gave a wrong password) would be returning a status code of 200 in the HTTP response. According to the HTTP spec a more appropriate status code would be 401 Unauthorized.
Human visitors viewing your site with a browser might not have seen this bug since browsers rarely handle status codes if a response body is present.

A machine doing a HTTP request to your password protected site might use the status code to evaluate whether the request was successful and might expect to get some specific data layout back when it is just getting the HTML of the password prompt for any path.

In order to make those machines happy we changed that status code.
Have fun using the feature with any client now!

2 Likes