diff --git a/messages/en-US.json b/messages/en-US.json
index 01047ecd..f7be36b6 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1754,7 +1754,7 @@
     "resourceHeaderAuthSetup": "Header Authentication set successfully",
     "resourceHeaderAuthSetupDescription": "Header authentication has been successfully set.",
     "resourceHeaderAuthSetupTitle": "Set Header Authentication",
-    "resourceHeaderAuthSetupTitleDescription": "Set the basic auth credentials (username and password) to protect this resource with HTTP Header Authentication. Leave both fields blank to remove existing header authentication.",
+    "resourceHeaderAuthSetupTitleDescription": "Set the basic auth credentials (username and password) to protect this resource with HTTP Header Authentication. Access it using the format https://username:password@resource.example.com",
     "resourceHeaderAuthSubmit": "Set Header Authentication",
     "actionSetResourceHeaderAuth": "Set Header Authentication",
     "enterpriseEdition": "Enterprise Edition",
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 4921d43f..b1692dce 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -314,6 +314,11 @@ export async function verifyResourceSession(
                 logger.debug("Resource allowed because header auth is valid");
                 return allowed(res);
             }
+
+            // if there are no other auth methods we need to return unauthorized here
+            if (!sso && !pincode && !password && !resource.emailWhitelistEnabled) {
+                return notAllowed(res);
+            }
         }
 
         if (!sessions) {