diff --git a/cmd/wireproxy/main.go b/cmd/wireproxy/main.go
index 8852ae3..ed6f55c 100644
--- a/cmd/wireproxy/main.go
+++ b/cmd/wireproxy/main.go
@@ -28,7 +28,7 @@ var default_config_paths = []string {
     os.Getenv("HOME")+"/.config/wireproxy.conf",
 }
 
-var version = "1.0.8-dev"
+var version = "1.0.11-dev"
 
 func panicIfError(err error) {
 	if err != nil {
diff --git a/http.go b/http.go
index a5c254a..1504050 100644
--- a/http.go
+++ b/http.go
@@ -32,23 +32,23 @@ func (s *HTTPServer) authenticate(req *http.Request) (int, error) {
 	}
 
 	auth := req.Header.Get(proxyAuthHeaderKey)
-	if auth != "" {
-		enc := strings.TrimPrefix(auth, "Basic ")
-		str, err := base64.StdEncoding.DecodeString(enc)
-		if err != nil {
-			return http.StatusNotAcceptable, fmt.Errorf("decode username and password failed: %w", err)
-		}
-		pairs := bytes.SplitN(str, []byte(":"), 2)
-		if len(pairs) != 2 {
-			return http.StatusLengthRequired, fmt.Errorf("username and password format invalid")
-		}
-		if s.auth.Valid(string(pairs[0]), string(pairs[1])) {
-			return 0, nil
-		}
-		return http.StatusUnauthorized, fmt.Errorf("username and password not matching")
+	if auth == "" {
+		return http.StatusProxyAuthRequired, errors.New(http.StatusText(http.StatusProxyAuthRequired))
 	}
 
-	return http.StatusProxyAuthRequired, errors.New(http.StatusText(http.StatusProxyAuthRequired))
+	enc := strings.TrimPrefix(auth, "Basic ")
+	str, err := base64.StdEncoding.DecodeString(enc)
+	if err != nil {
+		return http.StatusNotAcceptable, fmt.Errorf("decode username and password failed: %w", err)
+	}
+	pairs := bytes.SplitN(str, []byte(":"), 2)
+	if len(pairs) != 2 {
+		return http.StatusLengthRequired, fmt.Errorf("username and password format invalid")
+	}
+	if s.auth.Valid(string(pairs[0]), string(pairs[1])) {
+		return 0, nil
+	}
+	return http.StatusUnauthorized, fmt.Errorf("username and password not matching")
 }
 
 func (s *HTTPServer) handleConn(req *http.Request, conn net.Conn) (peer net.Conn, err error) {
@@ -104,7 +104,11 @@ func (s *HTTPServer) serve(conn net.Conn) {
 
 	code, err := s.authenticate(req)
 	if err != nil {
-		_ = responseWith(req, code).Write(conn)
+		resp := responseWith(req, code)
+		if code == http.StatusProxyAuthRequired {
+			resp.Header.Set("Proxy-Authenticate", "Basic realm=\"Proxy\"")
+		}
+		_ = resp.Write(conn)
 		log.Println(err)
 		return
 	}
diff --git a/systemd/wireproxy.service b/systemd/wireproxy.service
index 832f813..0ecc551 100644
--- a/systemd/wireproxy.service
+++ b/systemd/wireproxy.service
@@ -40,7 +40,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=true
 RestrictRealtime=true
 SystemCallArchitectures=native
-SystemCallFilter=@system-service
+SystemCallFilter=@system-service @sandbox
 
 [Install]
 WantedBy=multi-user.target