If you have configured the listener to use an authorization exit, security becomes the responsibility of that exit. Otherwise, the flow itself must handle security. The configured flow can examine the sreg(reqType) to determine whether this is a HEAD or a POST request. If it is a HEAD request, this is a call for security authorization. The flow must obtain the credentials as appropriate to the configuration. For basic authorization, security failure is reported back as a post code of SC_FORBIDDEN (403). Otherwise, it returns 200. In direct indexing it often makes sense to implement security in the flow itself.