When using the “Password Protected Site” feature, the password page has an HTTP 200 OK response code. I believe this should actually be 401 Unauthorized.
Returning the wrong response code means that certain automated tests don’t flag a password protected site correctly.
Thanks for writing in, this is a good idea so I filed an issue for our team to look at. I can’t say when it’ll be addressed, but we’ll update this thread when that happens. Note that as an alternative, you can use http basic auth which will return a 401: Custom headers | Netlify Docs
The use case issue is monitoring for people accidentally turning on password protection for production sites via Netlify UI, which basic auth wouldn’t have any bearing on.