I'm creating a RESTful service to provide data to a web application. I have two related questions about this.

1. How to deal with unauthorized requests?

I'm intending to respond to requests with the following codes:

• Is the resource open and found? 200 OK
• Do you need to be authenticated to access the resources? 401 Unauthorized
• Don't you have access to a category of resources? 403 Forbidden
• Do you have access to a category of resources, but not to this specific resource? 404 Not Found to prevent people from getting to know the existance of a resource they do not have access to.
• Doesn't the resource exist? 404 Not Found

Is this a recommended way for a RESTful service to behave?

2. What WWW-Authenticate header should 401 responses supply?

I read on Wikipedia (probably not the most accurate resource, but it works for me) that a 401 response must include a WWW-Authenticate header, however upon further searching I couldn't really find any resource that stated what this value means and what it should be.

I found several SO questions and forum topics about this header and they all seem to be about OAuth, suggest against using 401 status codes or say you can just make something up.

What is the correct value this header should contain?