What status code should be returned if somebody request access to the entity that he is not permitted to see? You'll probably say it's 403: Forbidden. But is it common practice to return 404 instead? I don't want somebody know that this entity even exists if he is not permitted to see it. What do you think?
Use 404 Not found.
The 404 status code can also be used in 403 scenarios, when the server
does not want to send back the reason why it is refusing to serve the
request. A good example is when the server senses some kind of an
attack, which might be a brute force attack. In this case, the
server responds with a 404 Not found instead of a 403 Forbidden and an
explanation.
Source: Pro ASP.NET Web API Security
Return 403 Forbidden. If you return this for every request the client is not allowed to access and if you never return 404 Not Found, the client knows nothing.
It all depends on how important this is for you:
I don't want somebody know that this entity even exists if he is not permitted to see it.
If this really is important, always return 403 Forbidden.
Well.. it depends..
If your endpoints' URLs reveal sensitive information (e.g., in Dropbox API, you refer to files by their names, rather than their IDs - so the URLs contain the file names) or perhaps you're using sequential IDs (e.g., ascending IDs that can be brute-forced), return 404.
If you need to support a "Request Access" feature to resources you don't have permissions for, return 403, so your client-side could tell the difference.
Generally speaking, if your API uses IDs and never reveal information as part of its URLs and you're using UUIDs as IDs, I would go with 403.. as with many well-known and very secured applications nowadays (Google, Microsoft, etc..).
Hope you get some clarification on HTTP errors based on what I am posting below:
HTTP 401 error :: This error happens when a website visitor tries to access a restricted web page but isn't authorized to do so.
HTTP 403 error :: This error is similar to the 401 error, but note the difference between unauthorized and forbidden. This can for example happen if you try to access a directory(forbidden) on any website.
HTTP 404 error :: A 404 error happens when you try to access a resource on a web server (usually a web page) that doesn't exist.
Related
If user has to upload files and confirm them via API endpoint call, what status code should be returned if user calls the confirm endpoint but has not uploaded all of the required files?
400 doesn't seem to be right because there is nothing wrong with the request parameters.
403 doesn't seem to be right because there is nothing wrong with credentials.
The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it.... a request might be forbidden for reasons unrelated to the credentials. -- HTTP Semantics
Keep in mind that status codes are metadata in the transfer of documents over a network domain; they tell HTTP components how to interpret the fields and body in the HTTP response.
See also Mark Nottingham on the generic semantics of status codes.
I don't think it is as good a choice, but it 409 conflict is an alternative that is probably harmless?
The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request. -- HTTP Semantics
Our image board allows users to upload images by copy-pasting URLs. A client app sends a POST request to our API with an image URL given in the request body. Our web service receives the POST request and handles it by downloading the image from the given URL by using a server-side HTTP client (request in our case).
In successful case, the service finds the image, downloads it, and stores it to the server. The service returns HTTP 200 to the client.
Now, what if the image cannot be found? What if the download attempt results in HTTP 404? What HTTP error code should we use to response to the client?
HTTP 400 Bad Request is not applicable because the request was well-formed and all parameters were valid.
HTTP 404 Not Found is not applicable because the request URL was found and served although the image URL was not.
HTTP 502 Bad Gateway does not feel right either because there is nothing wrong with our server or the upstream server (the server of the source image). The user just happened to type in an image URL that does not exist.
Any experience on the matter? Which error code is the most correct?
First of all you should decide if this is a client error (4xx) or server error (5xx). From what you describe, it feels more like a client error. The client has requested the creation of a resource from another resource (the image URL) which does not exist.
There is no perfect match for this scenario, although one could make a case for each of the 2 following response codes:
HTTP 409 Conflict: From the RFC:
The request could not be completed due to a conflict with the current
state of the target resource. This code is used in situations where
the user might be able to resolve the conflict and resubmit the
request...
This applies to your case if you consider the target resource to be in a bad state (image not found). If someone provides an image at the specified URL, that effectively transitions your resource to a valid state.
This is also a good match because, as the RFC states, this code implies the user might be able to resolve the conflict (in your case the user would correct this by posting the image to the specified URL).
HTTP 424 Failed Dependency: From the RFC:
The 424 (Failed Dependency) status code means that the method could
not be performed on the resource because the requested action depended
on another action and that action failed...
This applies to your case in that "the requested action depended on another action and that action failed". The dependent action is the posting of an image to the other URL. What you have described is a case where that dependent action either failed or did not happen (which could also be called a failure).
Since the API determines on something that is not available, its service is unavailable as well.
The status code 503: Service Unavailable is the best fit for your situation.
According to the RFC description:
The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay MAY be indicated in a Retry-After header. If no Retry-After is given, the client SHOULD handle the response as it would for a 500 response.
Alternatively, if your API supports a way of communicating errors (e.g. to tell the user that the information he submitted is incorrect) you may be able to use this method to tell the user that the external resource is unavailable. This might be a little friendlier and might avoid some error raises on the user's side.
Since the client app sends POST requests to your API server the response codes should be generated according to the received server in your case this is your API server.
If the server has received correct information from the client app and server determines the request as valid, it should return apropriate code with proper JSON or header based error messages.
http error codes were conceived assuming that all pages possibly served were stored locally, one way or another.
Your scenario does not match that assumption and it should therefore not come as a surprise that you don't find codes that fit your bill properly.
Your "not found" scenario is in fact an application error and you should notify your user of the situation by providing an error message on the form where he entered the URL (or return a fully dedicated error page or some such). Or choose an http error nonetheless and accept the notion that it will be a poor fit no matter what.
Now, what if the image cannot be found? What if the download attempt results in HTTP 404? What HTTP error code should we use to response to the client?
The main thing to keep in mind: you are trying to fool the client into thinking that you are a web site - just a dumb document store which might respond to some content editing messages.
For the client, the primary means of communication is the body of the response. See RFC 7231
Except when responding to a HEAD request, the server SHOULD send a representation containing an explanation of the error situation, and whether it is a temporary or permanent condition.
The status code is meta-data: aimed at giving the generic components participating in the exchange a chance to know what is going on (examples: the web browser doesn't need to know what page you are asking for to recognize a redirection response returned by the server, the web browser asking for credentials when it receives a 401 unauthorized response, web caches invalidating entries, or not, depending on the status code returned by the response).
HTTP 400 Bad Request is not applicable because the request was well-formed and all parameters were valid.
Yes, that's exactly right.
I would probably use 500 Internal Server Error, on the grounds that there's nothing wrong with the _document that the server received, the problems are all involved in the side effects of the server's implementation.
A different approach you might consider: 202 Accepted. Roughly translated "I got your message, I understood your message, and I'll get around to it later." If you don't need the side effects to be synchronous, you can defer judgment. That allows you to do things like applying a retry strategy.
The representation sent with this response ought to describe the request's current status and point to (or embed) a status monitor that can provide the user with an estimate of when the request will be fulfilled.
"I'll get to it later; if you want to know how it is going, go ask him -->"
Because 202 is a non-error status code, its effect on caches is different from those of a 4xx or 5xx. If you are already thinking ahead about caching, you'll want to the implications of that in mind.
I have a RESTful web service which requires an end-user license agreement (EULA) to be accepted before it can be used.
Which HTTP status code would be most appropriate for the web service to return if the EULA has not (yet) been accepted?
Currently I see the following possibilities (my current favorite in bold):
403 Forbidden
412 Precondition Failed
417 Expectation Failed
423 Locked
428 Precondition Required#
451 Unavailable For Legal Reasons
As suggested by CodeCaster I went to w3.org and looked at the definitions of HTTP Status Codes in RFC2616. I found Status Code 403 to be most appropriate:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated. If
the request method was not HEAD and the server wishes to make public
why the request has not been fulfilled, it SHOULD describe the reason
for the refusal in the entity. If the server does not wish to make
this information available to the client, the status code 404 (Not
Found) can be used instead.
401 Unauthorized
As George Clooney would say: "What else!". You authorize people accessing your service after they agree with the EULA. They didn't do that, so they aren't authorized (to be compliant with the RFC, authenticating and retrying clients would have to include the WWW-Authenticate header, but you must somehow provide that information anyway, and this way is just as good as any other way).
On a different thought, you could just as well return 301 pointing to the agreement page. The reasoning behind that approach would be that 4xx codes signal an error condition. However, not having agreed to the EULA yet is (other than a failed authentication) not really an error condition.
It's preventing the service from being used, yes... but everything is "working fine".
Messages should be self explanatory, my vote also for 412 Precondition Failed.
I am using HTTP HEAD request for checking is a userlogin name is available or not. Now I am returning a 200 OK response if the user login name is available, What do I return if login is not available? Should it be 409 or 403 or 410 (Gone).
I believe that 409 makes the most sense.
The request could not be completed due to a conflict (username already taken).
This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request.
Your response body SHOULD include enough information for the user to understand the username is already taken.
Edit
The 410 Gone response should only be used if requested resource is no longer available at the server and no forwarding address is known. These are for situations where the request-URI is not available temporarily. Some suggest to just use 404 if you think the URI will be down for long periods.
The 403 indicates a fundamental access problem. It is more difficult to resolve because the HTTP protocol allows the Web server to give this response without providing any reason at all. This is equivalent to a blanket 'NO' by the Web server - with no further discussion allowed.
I have been getting this error message the past 36 hours. Facebook support has not been any help at all when it comes to resolving this issue. I've cleared my cookies and cache multiple times. I've tried from multiple machines as well as my phone. Still no luck on logging in. Is it an error on my part or are they doing maintenance? Please assist, I did not want to have to post here but I have no more options...
The website cannot display the page
HTTP 500
Most likely causes:
•The website is under maintenance.
•The website has a programming error.
What you can try:
Refresh the page.
Go back to the previous page.
More information
This error (HTTP 500 Internal Server Error) means that the website you are visiting had a server problem which prevented the webpage from displaying.
For more information about HTTP errors, see Help.
It's probably something on their end. Responses with a 5xx status code are used when the server is aware it has erred in some way. More specifically, the 500 error has the following definition:
500 Internal Server Error:
The server encountered an unexpected condition which prevented it from
fulfilling the request.
If the response had a 4xx status code, then the fault would lie on you. For example, if you made a request to a resource that doesn't exist, then you'd get a 404 response. As it stands now, something is wrong with their server.
Had the same problem. It appeared to be caused by this:
https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.1#asking-for-permissions
Apps that ask for more than public_profile, email and user_friends must be reviewed by Facebook before they can be made available to the general public.
We were asking for more than the default, so I presume the 500 is caused by this lack of review.
It appears it can also happen if you haven't made your App public and try to login to it as anyone but you (the account that created the App).