According to MDN and RFC 7235 multiple authentication challanges can be specified by a response.

The current implementation relies on the order of the DEFAULT_AUTHENTICATION_CLASSES settings. Usually the more secure authentication schemes ('Bearer' or 'Token') are placed on top of that list, but those are not handled by the browsers. This means that potentially browser support for authentication is not available in the Browsable API.

My proposal would be to simply add all headers provided by the authentication classes, so even if Basic authentication is not prefered, it still can be used to authenticate in browsers.

What is your view on this? Shall I submit a PR?