HTTP defines status code. When designing REST API, don't just use 200
for success or 404
for error. Always use the semantically appropriate status code for the response.
Here is a non-exhaustive selection of security related REST API status codes. Use it to ensure you return the correct code.
Code | Message | Description |
---|---|---|
200 | OK | Response to a successful REST API action. The HTTP method can be GET, POST, PUT, PATCH or DELETE. |
201 | Created | The request has been fulfilled and resource created. A URI for the created resource is returned in the Location header. |
202 | Accepted | The request has been accepted for processing, but processing is not yet complete. |
301 | Moved Permanently | Permanent redirection. |
304 | Not Modified | Caching related response that returned when the client has the same copy of the resource as the server. |
307 | Temporary Redirect | Temporary redirection of resource. |
400 | Bad Request | The request is malformed, such as message body format error. |
401 | Unauthorized | Wrong or no authentication ID/password provided. |
403 | Forbidden | It's used when the authentication succeeded but authenticated user doesn't have permission to the request resource. |
404 | Not Found | When a non-existent resource is requested. |
405 | Method Not Acceptable | The error for an unexpected HTTP method. For example, the REST API is expecting HTTP GET, but HTTP PUT is used. |
406 | Unacceptable | The client presented a content type in the Accept header which is not supported by the server API. |
413 | Payload too large | Use it to signal that the request size exceeded the given limit e.g. regarding file uploads. |
415 | Unsupported Media Type | The requested content type is not supported by the REST service. |
429 | Too Many Requests | The error is used when there may be DOS attack detected or the request is rejected due to rate limiting. |
500 | Internal Server Error | An unexpected condition prevented the server from fulfilling the request. Be aware that the response should not reveal internal information that helps an attacker, e.g. detailed error messages or stack traces. |
501 | Not Implemented | The REST service does not implement the requested operation yet. |
503 | Service Unavailable | The REST service is temporarily unable to process the request. Used to inform the client it should retry at a later time. |