diff --git a/oauthproxy.go b/oauthproxy.go
index c6db18a7..2cbe4d26 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -633,6 +633,10 @@ func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
 // SignInPage writes the sign in template to the response
 func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code int) {
 	prepareNoCache(rw)
+	rw.Header().Set("WWW-Authenticate", "Bearer")
+	if p.basicAuthValidator != nil {
+		rw.Header().Add("WWW-Authenticate", "Basic")
+	}
 	rw.WriteHeader(code)
 
 	redirectURL, err := p.appDirector.GetRedirect(req)
@@ -1038,7 +1042,7 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
 			// the user did not explicitly start the login flow
 			p.doOAuthStart(rw, req, nil)
 		} else {
-			p.SignInPage(rw, req, http.StatusForbidden)
+			p.SignInPage(rw, req, http.StatusUnauthorized)
 		}
 
 	case ErrAccessDenied: