Nothing at all from the spec says usually, and often you can't make use of a 401 in that condition mainly because returning a 401 is just authorized in the event you involve a WWW-Authenticate header. When viewing the reaction headers from CloudFront, note the X-Cache: (hit/miss out on) and http://pigpgs.com