The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.