Is Basic Authorization always using the same "success condition"?

Question

I have some code that looks at "Basic Authorization" requests from many different sites. I want to know if I can make the following assumptions:

• A successful response (credentials are correct) will always have response code 200 OK
• A failed response (incorrect credentials) will always have response code 401 Unauthorized

Are the above fair assumptions, or is the success/fail conditions configurable per site?

Answer 1

No, there are other possible response codes.

According to the official spec, there can also be the error code 407.

Also, on MDN:

If a (proxy) server receives invalid credentials, it should respond with a 401 Unauthorized or with a 407 Proxy Authentication Required, and the user may send a new request or replace the Authorization header field.

If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.

In all cases, the server may prefer returning a 404 Not Found status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated.

Besides that, I'm quite sure that an actual successful attempt will result in status code 200.