Remove WWW-Authenticate header
I traced that Apache 2.4.25 (as in Debian 9 "stretch") adds the "WWW-Authenticate" header in mod_auth_basic.c (to r->err_headers_out) and afterwards handles the Apache configuration "Header" directive in mod_headers.c which unfortunately operates on a different copy of r->err_headers_out in mod_headers.c:ap_headers_error_filter().
When adding a second do_headers_fixup() to ap_headers_error_filter() as done in ap_headers_output_filter() to operate on r->headers_out also, the problem is gone.
Not sure if Apache considers this problem as a bug or a feature.
Update: The respective issue report at apache.org, including proposed patch, is at:https://bz.apache.org/bugzilla/show_bug.cgi?id=62025
The problem here is the order that Apache modules are loaded and processed.
You can see the modules order running this command:
apache2ctl -MYou'll see that auth_*_module are loaded before the headers_module so you cannot add headers or modify existing ones.
Loaded Modules:...... auth_basic_module (shared) auth_digest_module (shared) authn_core_module (shared) authn_file_module (shared) authz_core_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared)...... headers_module (shared)......
Viewing the Apache documentation, the loading order of the modules is determined in the module's own source code.