5

Although RFC 7231 was intended to bring clarity, it evidently has brought ambiguity regarding status code 400. Note this SO answer and the comments. One person says 400 now includes logical, application or verification errors, another person says that 400 still is intended only for syntactic or validation errors.

6.5.1. 400 Bad Request
The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

I would like to get a more definitive answer about this. Consider two scenarios where a POST or PUT attempted to provide an e-mail address:

  • The e-mail found in the request failed validation (e.g. it contained "hello#gmail.com"). A 400 reply is sent.
  • The e-mail found in the request failed verification (e.g. another user is already using that address). A ??? reply is sent.

I want to follow RFC 7231. My reading of the 6.5.1 tells me that the verification error should receive a 409 (or 422) response. But others disagree, and claim it should now be a 400.

Does anyone have more information that would resolve this ambiguity?

Community
  • 1
  • 1
Brent Arias
  • 29,277
  • 40
  • 133
  • 234
  • 2
    There are hundreds of "Which status code to use in " questions. 400 is a blanket statement, if you can find one that fits the scenario better, choose the more specific one - if you want to. Key is to be consistent. – CodeCaster Jul 09 '15 at 19:20
  • The answer is use whatever works best for you. – sanpaco Jul 10 '15 at 21:54

1 Answers1

2

200 is a fine status code to send in this situation. After all, do HTML forms get a 4xx back when you don't put in a valid post code?

Status codes are for generic consumption, not application-specific semantics. They're useful when a non-specific recipient -- e.g., a proxy, a cache, a HTTP library -- can do something interesting when it comes in.

So, 400 is to be used when there are errors stemming from client problems (such as bad request HTTP syntax). It was made more generic in 7231 because x00 status codes are the most generic of their series, and should be considered fallbacks when a more specific status code isn't defined.

You can use 400 for a validation error too, and it will be theoretically, slightly helpful in that a HTTP library knows not to repeat that request -- but it certainly isn't worth getting too concerned about if it's 200.

Mark Nottingham
  • 5,546
  • 1
  • 25
  • 21