A server might send a 401 Unauthorized HTTP header response if the requested Resource requires authentication, including if credentials has been provided but have failed authentication tests.
When responding with a 401, the response must also include a WWW-Authenticate header field.
In case a user tried to login on a web page using the HTTP authentication method, the 401 response code is the correct code to send – while 403 Forbidden is intended for when the server is refusing to fulfill the request, or for HTML form based logins. I.e.
The server understood the request, but is refusing to fulfill it.
Even though HTTP based authentication can be used, HTML form based logins are much more common in modern web applications.
Soft Authentication Errors
Since many hackers and spammers have automated tools to brute-force logins, you might not want to always deliver a response to HTTP requests. Creating unexpected responses can confuse malicious users, and sometimes effectively discourage them from attacking your site.