How to prevent user enumeration in HTTP Basic auth
Is there a way to make the HTTP 401 message exactly the same whether the inputted user name exists or not? Currently there are 2 different responses:
If the user name exists, and the password is invalid:
HTTP Status 401 - Authentication failed for , please make sure the credentials are correct
If the user name is not valid:
HTTP Status 401 - Basic Authentication requires a valid HTTP Authorization header be supplied.
2nd attempt with invalid user name:
HTTP Status 401 - Invalid User Name
This is being flagged as "user name enumeration" in our security penetration tests since a hacker could exploit this to see which user names are valid in out Thingworx system.

