when issuing a HTTP request against a protected resource (I am not
logged in), I am getting 401 (fine), but I don't see a
'WWW-Authenticate' header on the response. I also don't see any info
on this in the security roadmap (see ). Was there a special reason
to leave it out? I ask b/c usually that header is sent for basic,
digest or even oauth on the response header.