From c76660261851b326cde01b75524dfefcdda6856c Mon Sep 17 00:00:00 2001
From: Lutz Freitag <lutz@gottliebtfreitag.de>
Date: Tue, 22 Oct 2019 19:53:57 +0800
Subject: [PATCH] explicitly tell users that the www-authenticate header must
 be set on every response from the HTTP server

Signed-off-by: Lutz Freitag <lutz@gottliebtfreitag.de>
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 85e886c..718941b 100644
--- a/README.md
+++ b/README.md
@@ -136,6 +136,8 @@ BasicAuth
 
 Authenticate users by an [HTTP Basic access authentication][BasicAuth_0]  call.
 HTTP server of your choice to authenticate. It should return HTTP 2xx for correct credentials and an appropriate other error code for wrong ones or refused access.
+The HTTP server _must_ respond to any requests to the target URL with the "www-authenticate" header set. 
+Otherwise BasicAuth considers itself to be misconfigured or the HTTP server unfit for authentication.
 
 ### Configuration
 The only supported parameter is the URL of the web server where the authentication happens.