Return "401 Unauthorized" if no authentication header is required

[MaxWipfli]

According to RFC 7617, the server should respond with "401 Authentication Required" and a header WWW-Authenticate: Basic realm="foo" if no authentication header is provided by the client. Currently, sauth returns 200 OK in this case.

[algrid]

For me when I'm doing GET the server returns properly 401 with WWW-Authenticate. But when I'm doing a HEAD request, I get 200, no Content-Length and incorrect Content-Type (always text/html).