4

I'm wanting to return a HTTP code for a user that hits HTTP on a HTTPS only domain or vice versa. Which HTTP Code would be suited for this?

I don't want to redirect to the correct protocol as it would promote bad/insecure links and my server setup doesn't allow me to disable the protocol on the domains.

I'm thinking 400, 403, 406, or 500.

Kendall Hopkins
  • 43,213
  • 17
  • 66
  • 89
  • http://stackoverflow.com/questions/2554778/what-is-the-proper-http-response-to-send-for-requests-that-require-ssl has some suggestions – Egor Jul 26 '12 at 20:39

1 Answers1

4

It think you are looking for: 403 Forbidden (at least this one I would opt for)

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead

Learner
  • 3,297
  • 4
  • 37
  • 62
  • 1
    +1. This makes sense. Incidentally, Microsoft agrees with your answer, and even chose to (incorrectly) "extend" the 403 status code to *[403.4 - SSL Required](http://en.wikipedia.org/wiki/HTTP_403)* for IIS. – ArjunShankar Jul 26 '12 at 20:59
  • @Cristi Would you use this for both HTTP on HTTPS-only and HTTPS on HTTP-only? – Kendall Hopkins Jul 26 '12 at 21:01
  • I think yes, because the server has a good reason why to not fulfill the request. Moreover it tells the client to not repeat... – Learner Jul 26 '12 at 21:17