Returning http 200 OK with error within response body

Question

I'm wondering if it is correct to return HTTP 200 OK when an error occurred on the server side (the error details would be contained inside the response body).

Example:

1. We're sending HTTP GET
2. Something unexpected happened on the server side.
3. Server returns HTTP 200 OK status code with error inside a response (e.g. {"status":"some error occurred"})

Is this the correct behavior or not? Should we change the status code to something else than 200?

Answer 1

I'm wondering if it is correct to return HTTP 200 OK when an error occurred on the server side.

If it makes sense for the use case of the API you are making, the business, the tech team, then yes, it's correct. However, generally speaking, it's nice if the API returns specific status (header) which the client can immediately identify and action.

For example:

1. If the Client gets a "404" on a GET, they know what they asked for doesn't exist. The client can manage this as needed very quickly and simply.
2. If the Client gets a "200" on a GET, but because the API always returns "200", then the code always has to rake through the error messages and data strings trying to ascertain
   1. If something went wrong
   2. If something did, what went wrong, with string matching (urgh)

When an API is built the designated HTTP Response codes for certain scenarios likely wont change, which means Client code doesn't need to either. So communications between Server and Client in terms of the outcome remains solid.

If a Server always returns 200, even with errors, then the Server devs/admins have to be very strict in not just changing those error strings because Client(s) are using them for string matching.

I just see no point in utilising a very useful HTTP option of returning the relevant status code for the Client to make use of.

---

In other news...

A fair bit of conflicting answers here, and (sadly like a lot of tech things) they are arguably all correct. We don't have a concrete binding set of single rules we all must adhere to, in HTTP, code, designs, etc. And often it's not possible to implement a worldwide single "correct" approach because apps, business, and general scenarios determine what the "correct" approach is.

"Good/bad/right/wrong" can very much be subjective terms, especially in tech and developer world.

Answer 2

I am recently working on an ASP.net project which runs on IIS server, and IIS server tend to append default HTMLs in the response if there's anything wrong.

The problem is, the project is an API service that talks with json only, so we wanted to avoid IIS server from doing that. What's worse, OS is in Traditional Chinese so IIS server's default HTMLs are in BIG-5 instead of UTF-8! That confused our frontend developers alot, because response becomes gibberish then.

Sadly I don't have privilege to switch ourselves away from using IIS server too, nor to change the configurations. So in the end, for all the business errors and exceptions we can catch in the backend, we send 200 OK while wrapping actual http status code/message in the response json.

I think that although this is against traditional HTTP codes definition, it avoids unwanted influences towards response between server and client.

I am not a frontend guy so not sure - but I guess this also ceases the need for looking at both HTTP status and body for either a request is successful.

Answer 3

No, it's very incorrect to send 200 with a error body

HTTP is an application protocol. 200 implies that the response contains a payload that represents the status of the requested resource. An error message usually is not a representation of that resource.

If something goes wrong while processing GET, the right status code is 4xx ("you messed up") or 5xx ("I messed up").

Answer 4

HTTP status codes say something about the HTTP protocol. HTTP 200 means transmission is OK on the HTTP level (i.e request was technically OK and server was able to respond properly). See this wiki page for a list of all codes and their meaning.

HTTP 200 has nothing to do with success or failure of your "business code". In your example the HTTP 200 is an acceptable status to indicate that your "business code error message" was successfully transferred, provided that no technical issues prevented the business logic to run properly.

Alternatively you could let your server respond with HTTP 5xx if technical or unrecoverable problems happened on the server. Or HTTP 4xx if the incoming request had issues (e.g. wrong parameters, unexpected HTTP method...) Again, these all indicate technical errors, whereas HTTP 200 indicates NO technical errors, but makes no guarantee about business logic errors.

To summarize: YES it is valid to send error messages (for non-technical issues) in your http response together with HTTP status 200. Whether this applies to your case is up to you. If for instance the client is asking for a file that isn't there, that would be more like a 404. If there is a misconfiguration on the server that might be a 500. If client asks for a seat on a plane that is booked full, that would be 200 and your "implementation" will dictate how to recognise/handle this (e.g. JSON block with a { "booking": "failed" })

Answer 5

I think these kinds of problems are solved if we think about real life.

Bad Practice:

Example 1:

Darling everything is FINE/OK (HTTP CODE 200) - (Success):
{
  ...but I don't want us to be together anymore!!!... (Error)
  // Then everything isn't OK???
}

Example 2:

You are the best employee (HTTP CODE 200) - (Success):
{
  ...But we cannot continue your contract!!!... (Error)
  // Then everything isn't OK???
}

Good Practices:

 Darling I don't feel good (HTTP CODE 400) - (Error):
{
  ...I no longer feel anything for you, I think the best thing is to separate... (Error)
  // In this case, you are alerting me from the beginning that something is wrong ...
}

This is only my personal opinion, each one can implement it as it is most comfortable or needs.

Note: The idea for this explanation was drawn from a great friend @diosney

Answer 6

I think people have put too much weight into the application logic versus protocol matter. The important thing is that the response should make sense. What if you have an API that serves a dynamic resource and a request is made for X which is derived from template Y with data Z and either Y or Z isn't currently available? Is that a business logic error or a technical error? The correct answer is, "who cares?"

Your API and your responses need to be intelligible and consistent. It should conform to some kind of spec, and that spec should define what a valid response is. Something that conforms to a valid response should yield a 200 code. Something that does not conform to a valid response should yield a 4xx or 5xx code indicative of why a valid response couldn't be generated.

If your spec's definition of a valid response permits { "error": "invalid ID" }, then it's a successful response. If your spec doesn't make that accommodation, it would be a poor decision to return that response with a 200 code.

I'd draw an analogy to calling a function parseFoo. What happens when you call parseFoo("invalid data")? Does it return an error result (maybe null)? Or does it throw an exception? Many will take a near-religious position on whether one approach or the other is correct, but ultimately it's up to the API specification.

"The status-code element is a three-digit integer code giving the result of the attempt to understand and satisfy the request"

Obviously there's a difference of opinion with regards to whether "successfully returning an error" constitutes an HTTP success or error. I see different people interpreting the same specs different ways. So pick a side, sure, but also accept that either way the whole world isn't going to agree with you. Me? I find myself somewhere in the middle, but I'll offer some commonsense considerations.

1. If your server-side code catches an unexpected exception when dispatching a request, that sounds like the very definition of a 500 Internal Server Error. This seems to be OP's situation. The application should not return a 200 for unexpected errors, but also see point 3.
2. If your server-side code should be able to gracefully handle a given invalid input, and it doesn't constitute an "exceptional" error condition, your spec should accommodate HTTP 200 responses that provide meaningful diagnostic information.
3. Above all: Have a spec. Make it consistent. Stick to it.

In OP's situation, it sounds like you have a de-facto standard that unhandled exceptions yield a 200 with a distinguishable response body. It's not ideal, but if it's not breaking things and actively causing problems, you probably have bigger, more important problems to solve.

Answer 7

HTTP Is the Protocol handling the transmission of data over the internet.

If that transmission breaks for whatever reason the HTTP error codes tell you why it can't be sent to you.

The data being transmitted is not handled by HTTP Error codes. Only the method of transmission.

HTTP can't say 'Ok, this answer is gobbledigook, but here it is'. it just says 200 OK.

i.e : I've completed my job of getting it to you, the rest is up to you.

I know this has been answered already but I put it in words I can understand. sorry for any repetition.

Answer 8

To clarify, you should use HTTP error codes where they fit with the protocol, and not use HTTP status codes to send business logic errors.

Errors like insufficient balance, no cabs available, bad user/password qualify for HTTP status 200 with application specific error handling in the response body.

See this software engineering answer:

I would say it is better to be explicit about the separation of protocols. Let the HTTP server and the web browser do their own thing, and let the app do its own thing. The app needs to be able to make requests, and it needs the responses--and its logic as to how to request, how to interpret the responses, can be more (or less) complex than the HTTP perspective.

Answer 9

Even if I want to return a business logic error as HTTP code there is no such acceptable HTTP error code for that errors rather than using HTTP 200 because it will misrepresent the actual error.

So, HTTP 200 will be good for business logic errors. But all errors which are covered by HTTP error codes should use them.

Basically HTTP 200 means what server correctly processes user request (in case of there is no seats on the plane it is no matter because user request was correctly processed, it can even return just a number of seats available on the plane, so there will be no business logic errors at all or that business logic can be on client side. Business logic error is an abstract meaning, but HTTP error is more definite).