REST API best HTTP Status response for illegal operation

rest http-status-codes
10,028

Solution 1

In this situation, I usually opt for a 400 Bad Request. I'm not sure if a more specific 400 range status code would fit better, however I would not use 403. For me, a 403 is security related, and should not be used for request payload validation errors.

As for 409 Conflict, I usually use this if the request is valid, but the state change is somehow illegal. However, I have seen it used in other contexts as well.

In the end, as long as you are consistent across your API (and document the meaning of the return status codes), you have some flexibility to decide how you want to express the error.

Solution 2

I think you should use a 403 Forbidden here.

From the HTTP specification:

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. (...)

As you are refusing to change the value of "country", this is the status code you want to return. The client is not authorized to change the resource's country.

409 Conflict is not appropriate in this case. The 409 status is to be used when for instance somebody sends a request to update a resource, but their version of the resource is outdated because the resource has been modified in the meantime. In other words, there is a conflict between the client's data and the data on the server. This has nothing to do with allowing certain properties of the resource to be changed.

The request could not be completed due to a conflict with the current state of the resource. This code is only allowed in situations where it is expected that the user might be able to resolve the conflict and resubmit the request. The response body SHOULD include enough information for the user to recognize the source of the conflict. Ideally, the response entity would include enough information for the user or user agent to fix the problem; however, that might not be possible and is not required.

Conflicts are most likely to occur in response to a PUT request. For example, if versioning were being used and the entity being PUT included changes to a resource which conflict with those made by an earlier (third-party) request, the server might use the 409 response to indicate that it can't complete the request. In this case, the response entity would likely contain a list of the differences between the two versions in a format defined by the response Content-Type.

(emphasis mine)

Share:
10,028
ACs
Author by

ACs

Updated on June 21, 2022

Comments

  • ACs
    ACs almost 2 years

    Im creating a REST API in PHP. When the client may try to perform an action which is unavaible . (For example it tries to change a property of the resource which is not passable... e.g.: tries to change the value of the "country" property to "Julius Caesar") What HTTP status code should I send back with the response? Im speculating between 403 and 409. I don't know if 403 Forbidden is only related to user permissions or can I use for this purpose? And In what situation should I user 409 Confloct? To summarize what is the proper HTTP response status to an illegal operation?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

HTTP 200 or 404 for empty list?
Correct HTTP status code when resource is available but not accessible because of permissions
REST - When to use 400 ("Bad Request")
HTTP Status 202 - how to provide information about async request completion?
Correct HTTP status code for login form?
REST: Mapping application errors to HTTP Status codes
Spring: return @ResponseBody "ResponseEntity<List<JSONObject>>"
HTTP statuscode to retry same request
Authorization in RESTful HTTP API, 401 WWW-Authenticate
HTTP Status Code for External Dependency Error