Skip to content

Instantly share code, notes, and snippets.

@j4mie
Created November 20, 2011 20:02
Show Gist options
  • Save j4mie/1380800 to your computer and use it in GitHub Desktop.
Save j4mie/1380800 to your computer and use it in GitHub Desktop.
400 or 403?

400 or 403 for invalid form submission?

Conclusion: use 400

The Spec ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html )

10.4.1 400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

Roy Fielding says 400: http://lists.w3.org/Archives/Public/ietf-http-wg-old/1999JanApr/0080.html

RESTful Web Services p381

400 (“Bad Request”)

This is the generic client-side error status, used when no other 4xx error code is appropriate. It’s commonly used when the client submits a representation along with a PUT or POST request, and the representation is in the right format, but it doesn’t make any sense.

RESTful Web Services p197

If the client sends bad or incomplete data, the ActiveRecord validation rules (defined in the User) model) fail, and the call to User#save returns false. The response code then is 400 (“Bad Request”).

RESTful Web Services p382 - this doesn't sound quite right to me

403 (“Forbidden”)

The client’s request is formed correctly, but the server doesn’t want to carry it out. This is not merely a case of insufficient credentials: that would be 401 (“Unauthorized”). This is more like a resource that is only accessible at certain times, or from certain IP addresses.

Other sources:

http://stackoverflow.com/questions/3290182/rest-http-status-codes

http://stackoverflow.com/questions/1959947/whats-an-appropriate-http-status-code-to-return-by-a-rest-api-service-for-a-val

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment