13

What is the most appropriate response code to return when using the PUT method to update a resource, and the request contains some data that would invalidate the domain rules?

For example, a customer resource must have a name specified. If an agent tries to issue a PUT without supplying a name I don't want to update the resource, and I want to tell the caller that they need to supply a name.

What HTTP response code?

rotary_engine
  • 559
  • 2
  • 6
  • 17

3 Answers3

27

How about 422?

"The 422 (Unprocessable Entity) status code means the server understands the content type of the request entity (hence a 415(Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a 400 (Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions."

RFC 4918, Section 11.2

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98
  • Sounds promising. I hadn't seen that code, it doesn't appear in most documentation. – rotary_engine Feb 04 '10 at 01:16
  • 2
    That is part of WebDav, /not/ standard HTTP. – Matthew Flaschen Feb 04 '10 at 06:49
  • 2
    Matthew, that comment doesn't make sense. There's a reason why status codes in HTTP are extensible, and why there's an IANA registry. – Julian Reschke Feb 04 '10 at 09:01
  • The registry exists so different extensions don't claim the same numbers for different purposes. That doesn't mean you should just cherry-pick status codes from extensions. – Matthew Flaschen Feb 04 '10 at 10:18
  • 8
    Well, it also doesn't mean you can't. I've had the discussion before with an author of RFC 2616 who agreed that 422 is a good thing and can absolutely be used outside WebDAV. If you disagree I'd recommend that you join the HTTPbis Working Group which, among other things, is chartered to clarify existing extension points when necessary. – Julian Reschke Feb 04 '10 at 13:04
  • I think this is the correct answer. See also http://stackoverflow.com/a/20215807/47185 – Tyler Rick Apr 01 '14 at 16:27
  • @JulianReschke - I was just wondering whether you still agree with this answer, now that RFC7231 has clarified that 400 is not only for syntactically malformed requests? – Jules Apr 16 '18 at 16:51
4

The response code is not related to the http method in this case. You should return the same status code as if it had been a POST request. I'd say you should use 400 or 409 (Note: See further discussion of the difference between the two in the comments).

troelskn
  • 115,121
  • 27
  • 131
  • 155
  • I actually had 409 - Conflict written down. Though, looking at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html under 400 - Bad Request "The request could not be understood by the server due to malformed syntax.". If you can check the business rules of a request, and know they are invalid, then surely it isn't malformed syntax? I vote 409. – rotary_engine Feb 03 '10 at 09:59
  • While `409` is probably the most correct, the `X00` responses can also be seen as the generic response within a category. So `400` is less specific than `409`. It's not how they are defined, but de-facto that's often the interpretation. – troelskn Feb 03 '10 at 10:13
  • 500 is definitely not the right response in this case as it is the client that made the error, not the server. 409 is used for concurrency conflicts, not rule violations. – Darrel Miller Feb 03 '10 at 13:25
  • @darrel Are you sure about the `409`? The spec features a concurrency conflict as an example, but I read it as being just one example of a broader category. – troelskn Feb 03 '10 at 16:04
  • No I'm not sure, and I can find no confirmation. Even the Httpbis document which is intended to clarify Http 1.1 does not elaborate further http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-08#section-8.4.10 – Darrel Miller Feb 03 '10 at 16:44
  • Httpbis for 409 - "The request could not be completed due to a conflict with the current state of the resource.". Would rule violations be considered part of the resource state? – rotary_engine Feb 04 '10 at 01:21
  • 1
    IE8 displays 408/409 as "The website is too busy to show the webpage". – rotary_engine Feb 04 '10 at 10:07
4

I would return a 400. Strictly, this is for "malformed syntax" (not invalid data), but in practice the YouTube, Twitter, etc. use it for more generally "bad" requests.

Matthew Flaschen
  • 278,309
  • 50
  • 514
  • 539