-2

I am implementing an endpoint which offer some secret data and I want to make a simple verify mechanism. Which status should I response when user does not have the correct crediential?

400? 403? Or something else?

thanks.

fung
  • 641
  • 6
  • 14

2 Answers2

0

You should use 403, HTTP status code 403 responses are the result of the web server being configured to deny access to the requested resource by the client.

See HTTP 403

Sofiene Djebali
  • 4,398
  • 1
  • 21
  • 27
0

You can use 401 if you intend to authenticate via www-authenticate header field. If the authentication information was incorrect or missing send 401.

Or use 403 to notify the sender of the request that he is not allowed to access the requestet content. According to the documentation the response should state the reason why the request was refused. If you do not with to do so you could alternatively send a 404.

For further information see the linked Documentation.

w3.org http Protocol

EDIT: improved from link only answer.

ikarus
  • 11
  • 1
  • 2
  • 1
    Please [avoid link only answers](http://meta.stackoverflow.com/tags/link-only-answers/info). Answers that are "barely more than a link to an external site” [may be deleted](http://stackoverflow.com/help/deleted-answers). – Quentin May 09 '17 at 08:10
  • thanks. I will keep that in mind for future Answers. – ikarus May 09 '17 at 08:14
  • 1
    You should also edit this answer so it is not link only anymore – Tim May 09 '17 at 08:15
  • edited as requested. – ikarus May 09 '17 at 08:44