An HttpError setting exists in error.ini, to define what HTTP status header to return for certain errors.
However, for the "Access Denied" error (code 1), only the first request actually sets this header.
As the response is cached, any further requests will return "200 OK".
- In error.ini:
- Clear caches
- With anonymous account, try to access a restricted section (such as 'Media').
- The result status is "HTTP 401: Authorization Required"
- Now refresh the page.
The same page will return an http status 200.
Clearing the cache makes the next request valid again.