diff --git a/server/server.go b/server/server.go
index e2a342c..4ffbfbc 100755
--- a/server/server.go
+++ b/server/server.go
@@ -153,11 +153,11 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 		if auth, err := s.lookupAuth(mapKey(r.Host)); err != nil {
 			log.Printf("failed to lookup auth for %s (%s): %v", r.Host, mapKey(r.Host), err)
 			w.Header().Set("WWW-Authenticate", "Basic")
-			http.Error(w, err.Error(), http.StatusForbidden)
+			http.Error(w, err.Error(), http.StatusUnauthorized)
 		} else if _, p, _ := r.BasicAuth(); auth != p {
 			log.Printf("failed to auth: expected %q but got %q", auth, p)
 			w.Header().Set("WWW-Authenticate", "Basic")
-			http.Error(w, "unexpected basic auth", http.StatusForbidden)
+			http.Error(w, "unexpected basic auth", http.StatusUnauthorized)
 		} else {
 			foo(w, r)
 		}
@@ -215,7 +215,6 @@ func (cb corsResponseWriter) WriteHeader(code int) {
 func doCORS(w http.ResponseWriter, r *http.Request) (http.ResponseWriter, bool) {
 	key := mapKey(r.Host)
 	if !config.GetCORS(key) {
-		pushMeta(r, "do-cors", "not enabled for key")
 		return w, false
 	}
 	pushMeta(r, "do-cors", "enabled for key")