diff --git a/lib_web/src/main/x/web/security/DigestAuthenticator.x b/lib_web/src/main/x/web/security/DigestAuthenticator.x
index 2a25c463f..b4eb02215 100644
--- a/lib_web/src/main/x/web/security/DigestAuthenticator.x
+++ b/lib_web/src/main/x/web/security/DigestAuthenticator.x
@@ -220,8 +220,15 @@ service DigestAuthenticator
         if (!passed) {
             // to cause the client to request the user for a name and password, we need to return an
             // "Unauthorized" error code with a header that directs the client to use Digest auth
-            String nonce  = toString(nonces.generate());
+            String   nonce      = toString(nonces.generate());
             String[] challenges = new String[];
+
+            // Safari only supports "md5-sess" algorithm
+            // REVIEW CP: there is a chance they all drop it; should we limit the challenge to "md5"
+            Signer[] hashers = (request.userAgent?.indexOf("Safari") : False)
+                    ? [md5]
+                    : this.hashers;
+
             for (Signer hasher : hashers) {
                 challenges += $|Digest realm="{realm.name}",\
                                |qop="auth",\
@@ -458,7 +465,7 @@ service DigestAuthenticator
      * @param s  a String in the format defined by
      *           [RFC 5987](https://datatracker.ietf.org/doc/html/rfc5987)
      *
-     * @return `True` iff the String contents were successfull decoded
+     * @return `True` iff the String contents were successfully decoded
      * @return (conditional) the decoded String contents
      */
     static conditional String decodeUtf8MimeHeader(String text) {