HTTP 511 vs 401 — Network Authentication Required vs Unauthorized Comparison

Quick Cheat Sheet

Aspect	511 Network Authentication Required	401 Unauthorized
Issued by	Network intermediary (captive portal)	The application server
Class	5xx — Server Error (kind of)	4xx — Client Error
Use case	Wi-Fi hotspot login, paywall portals	API/web app authentication
RFC	6585	9110
Required header	None standardized	WWW-Authenticate

When to Use 511

511 Network Authentication Required (RFC 6585 § 6) is a very specific code: it's for captive portals — those Wi-Fi login pages that appear on hotel, airport, or coffee-shop networks before you're allowed to use the internet.

When you connect to such a network and try to load https://news.example.com, the captive portal gateway intercepts your request and responds with 511 plus a body (or Location header) pointing to the portal login page.

The key distinguishing feature: 511 is sent by a network gateway, not by the actual server you're trying to reach. The user agent is supposed to recognize this and prompt the user to authenticate to the network.

Why Not Just 401?

You might think "isn't this just authentication? Use 401." But there's a critical reason 511 exists:

401 from a captive portal is dangerous. If a captive portal returns 401 for https://api.bank.com, the user agent might cache that 401 against the real bank's domain. Worse, with HTTP (not HTTPS), the portal can intercept and modify responses, which is essentially a man-in-the-middle attack.

511 explicitly identifies "this isn't the real server you asked for" — it's a marker for user agents to display a special "you need to log into this network" prompt rather than treating it as a real auth failure on the target server.

HTTPS Makes This Even More Important

With HTTPS, captive portals can't transparently intercept and modify traffic. They can only redirect HTTP requests, or rely on browsers to detect the captive portal via mechanisms like:

• Apple's captive.apple.com/hotspot-detect.html
• Android's connectivitycheck.gstatic.com
• Mozilla's detectportal.firefox.com

These probes deliberately use plain HTTP and look for any hijacked response — not necessarily 511. In practice, 511 is rare even for captive portals, because most just send 302 or 200-with-portal-page on the unauthenticated probe URLs.

When to Use 401

Always use 401 for application-level authentication failures: missing JWT, invalid API key, expired session. Use it on your own server responses to identified clients. Pair with WWW-Authenticate: Bearer (or your scheme).

Practical Reality

• 511 is one of the most rarely-used HTTP codes. Most captive portals don't actually use it.
• 401 is everywhere — every API, every secured web app uses it.

If you're building an actual captive portal product (rare for most devs), use 511. Otherwise, you'll basically never write code that returns 511.

Detection Approach

Modern OSes detect captive portals by issuing GET requests to known endpoints expecting specific responses (HTTP 204 or specific text). If they get anything else — including 511, 200 with a login page, or a 302 redirect — they assume a captive portal and prompt the user.