511 Network Authentication Required

HTTP response status code 511 Network Authentication Required is a server error used by captive portals to inform HTTP clients to complete a sign-in before being granted network access.

Table of Contents

Usage

The 511 Network Authentication Required status code informs the HTTP client to log in before being granted access to the network. An example of a captive portal is a hotel portal granting guests access to non-public Wi-Fi services.

The 511 Network Authentication Required status code signals to HTTP clients the response is not coming from the origin server but from a network gatekeeper requiring Authentication.

SEO impact

Search engines treat 511 the same as other 5xx server errors. Persistent failures reduce crawl rate and eventually remove affected URLs from the index.

Example

The HTTP client requests a resource and the server responds with a 511 Network Authentication Required status code because the client must first authenticate before being granted regular network access.

Request

GET / HTTP/1.1
Host: www.example.re

Response

HTTP/1.1 511 Network Authentication Required
Content-Type: text/html; charset=UTF-8
Content-Length: 218

<html>
  <head>
    <title>Network Authentication Required</title>
  </head>
  <body>
    <p>Before accessing this service,
    <a href="https://login.example.re/">sign in
    </a> to the network.</p>
  </body>
</html>

How to fix

The network requires Authentication before granting internet access. A captive portal is intercepting HTTP traffic and returning 511 until login is complete.

For end users:

  • Open a browser and navigate to any HTTP (not HTTPS) URL. The captive portal intercepts the request and Redirects to the login page. Most operating systems detect captive portals automatically and display a login prompt.
  • If automatic detection fails, try browsing to a known HTTP URL such as http://detectportal.firefox.com/ or http://www.msftconnecttest.com/connecttest.txt. These detection URLs are designed to trigger captive portal redirects.
  • Complete the login, accept terms, or provide payment on the portal page. After Authentication, retry the original request.
  • If the portal page does not appear, check the 511 response body for a login URL. The response typically includes an HTML page with a link or META refresh tag pointing to the login server.

For automated clients and applications:

  • Implement captive portal detection. Before making application requests, send a probe request to a known detection endpoint and check whether the response is the expected body or a 511/redirect. Apple, Google, Microsoft, and Mozilla all publish detection URLs for this purpose.
  • Handle 511 responses explicitly in HTTP client code. Parse the response body for the login URL, present the login flow to the user (or automate credential submission if the portal supports API-based login), then retry the original request.
  • Cache the Authentication state. Many captive portals use MAC address registration, so re-authentication is only needed after a timeout or device reconnection.

For network operators serving 511:

  • Return the 511 status (not a 302 redirect) so HTTP clients correctly identify the response as coming from the network, not the origin server.
  • Include a Content-Type: text/html response with a clear login link. Avoid Caching the 511 response by omitting cache headers or including Cache-Control: no-store.

Code references

.NET

HttpStatusCode.NetworkAuthenticationRequired

Rust

http::StatusCode::NETWORK_AUTHENTICATION_REQUIRED

Rails

:network_authentication_required

Go

http.StatusNetworkAuthenticationRequired

Symfony

Response::HTTP_NETWORK_AUTHENTICATION_REQUIRED

Python3.5+

http.HTTPStatus.NETWORK_AUTHENTICATION_REQUIRED

Apache HttpComponents Core

org.apache.hc.core5.http.HttpStatus.SC_NETWORK_AUTHENTICATION_REQUIRED

Angular

@angular/common/http/HttpStatusCode.NetworkAuthenticationRequired

Takeaway

The 511 Network Authentication Required status code informs the HTTP client a captive portal requires Authentication before granting network access.

See also

Last updated: March 5, 2026