401 responses MUST have a `WWW-Authenticate` header.

[issuefiler]

express-basic-auth/README.md

Lines 137 to 140 in dd17b4d

	### Challenge
	Per default the middleware will not add a `WWW-Authenticate` challenge header to
	responses of unauthorized requests. You can enable that by adding `challenge: true`

express-basic-auth/index.js

Lines 66 to 75 in dd17b4d

	function unauthorized() {
	if(challenge) {
	var challengeString = 'Basic'
	var realmName = realm(req)
	if(realmName)
	challengeString += ' realm="' + realmName + '"'
	res.set('WWW-Authenticate', challengeString)
	}

The current default behavior, responding with the status code 401 without the WWW-Authenticate header field, violates RFC 9110. Do you have any particular reasons for the decision on the default behavior that is not RFC-compliant?

RFC 9110 — HTTP semantics

15.5.2. 401 Unauthorized

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 11.6.1) containing at least one challenge applicable to the target resource.

---

Suggestion

I suggest changing this line

express-basic-auth/index.js

Line 30 in dd17b4d

var challenge = options.challenge != undefined ? !!options.challenge : false

to

const challenge = !!(options.challenge ?? true);

, and accordingly the documentation as well.