diff --git a/internal/http/middleware.go b/internal/http/middleware.go
index 390cf2b..a6efd17 100644
--- a/internal/http/middleware.go
+++ b/internal/http/middleware.go
@@ -19,8 +19,8 @@ func DisallowNonNavigationalRequests(next http.Handler) http.Handler {
 			span := trace.SpanFromContext(r.Context())
 			span.SetAttributes(attribute.Bool("request.disallowed", true))
 
-			w.WriteHeader(http.StatusUnauthorized)
 			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusUnauthorized)
 			w.Write([]byte(`{"error": "unauthenticated", "error_description": "this is an interactive endpoint; user-agents must be navigated to this endpoint", "error_path": "` + r.URL.Path + `"}`))
 			return
 		}
diff --git a/pkg/handler/reverseproxy.go b/pkg/handler/reverseproxy.go
index 956287a..af7b87c 100644
--- a/pkg/handler/reverseproxy.go
+++ b/pkg/handler/reverseproxy.go
@@ -203,12 +203,13 @@ func handleAutologin(src ReverseProxySource, w http.ResponseWriter, r *http.Requ
 
 	location := loginURL(target, "non-navigation request detected; responding with 401 and Location header")
 	w.Header().Set("Location", location)
-	w.WriteHeader(http.StatusUnauthorized)
 
 	if httpinternal.Accepts(r, "*/*", "application/json") {
 		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusUnauthorized)
 		w.Write([]byte(`{"error": "unauthenticated, please log in"}`))
 	} else {
+		w.WriteHeader(http.StatusUnauthorized)
 		w.Write([]byte("unauthenticated, please log in"))
 	}
 }