Status code 511 is intended to be used by by intercepting proxies used to control access to the network.
Frequently Asked Questions
What does HTTP 511 mean?
HTTP 511 Network Authentication Required means the client needs to authenticate to gain access to the network itself before the request can reach any server. It is generated by intercepting proxies that control network access, not by origin servers. The most common real-world example is the login or terms-of-service page that appears when connecting to public Wi-Fi at places like airports or cafés — often called a captive portal.
When does a server return a 511?
Strictly speaking, a 511 is not returned by an origin server at all — it is issued by an intercepting proxy that sits between the client and the network. This happens when a network operator requires authentication or acceptance of terms before granting a device access to the internet. Proxies often identify unauthenticated devices by their MAC address.
What is the difference between 511, 401, and 407?
These three codes all relate to authentication but at different layers. A 401 Unauthorized means the client failed to authenticate with the origin server itself. A 407 Proxy Authentication Required means a proxy is demanding credentials before forwarding the request onward. A 511 means authentication is required at the network level — before the request can reach any proxy or server at all.
How do browsers handle a 511 response?
Most browsers handle 511 by rendering the response body directly, which typically contains a <meta http-equiv="refresh"> tag or a link pointing to a captive portal login page. The user sees the login or terms page and, after authenticating, is returned to their original request. RFC 6585 explicitly notes that the response should contain a link to a resource that allows the user to authenticate.
How should I handle a 511 in my API client or application?
Non-browser HTTP clients — scripts, mobile apps, or API clients — will not automatically follow a captive portal redirect, so they should detect a 511 response explicitly rather than treating it as a generic server error. Parse the response body for the login URL, surface the authentication step to the user, and retry the original request after network access is granted. Building in a clear distinction between 511 and 5xx server errors prevents confusing network connectivity problems with application bugs.
If my users are hitting 511 errors, is something wrong with my server?
No — a 511 is not produced by your origin server and indicates nothing wrong with your application or infrastructure. It means the client's network is blocking their request before it ever reaches your server. Users seeing 511 typically need to authenticate on their local network (for example, sign into a Wi-Fi portal) and then retry.
