Failed login attempts return HTTP 200 OK instead of 401/403 #321
Description
I noticed that when a user attempts to log in with incorrect credentials, the server responds with an HTTP 200 OK status code.
While the page correctly renders the error message to the user, the HTTP header should ideally reflect the authentication failure with a 401 Unauthorized or 403 Forbidden status code.
Why this is important: Returning 200 OK makes it difficult to integrate with security tools (like Fail2Ban, WAFs, or external monitoring) that rely on HTTP status codes to detect and block brute-force attacks.