What HTTP code to use in “Not Authenticated” and “Not authorized” cases?

Question

I read that \"401 Unauthorized\" code must be used when a user:

1. Is not logged, but login is required (\"not authenticated\");
2. Is logged, but his profile d

Answer 1

You should pass a custom header in addition to the status code for application specific needs.

I believe the current practice is to preface custom headers with X-

Update, August 2012:

From the RFC 3864 posted in the comments (dated September 2004):

In some cases (notably HTTP [24]), the header syntax and usage is redefined for the specific application. [...] In some cases, the same field name may be specified differently (by different documents) for use with different application protocols. [...] We need to accommodate application-specific fields, while wishing to recognize and promote (where appropriate) commonality of other fields across multiple applications.

In a more recent RFC (6648, dated June 2012), they specifically address X- headers.

Deprecates the "X-" convention for newly defined parameters in application protocols, including new parameters for established protocols. [...] Does not recommend against the practice of private, local, preliminary, experimental, or implementation-specific parameters, only against the use of "X-" and similar constructs in the names of such parameters.

Important to note is that while X- is specifically noted, they do still implicitly condone custom headers as a way of transferring information. An application specific prefix (MyApp-) might be more appropriate to avoid ever colliding with any other headers.

See also: Is it safe to use "X-" header in a HTTP response from a few years ago.