What is the most appropriate HTTP Status Code for Invalid Host/Referer request header?

Question

I'm writing an Node.js/NPM module for protecting express servers against DNS Rebind attacks through server-side Host and Referer [sic] header validation. The server admin specifies whitelisted Hosts and/or Referers, and any requests that don't include those whitelisted values will receive error status codes and no results.

What would be the most appropriate HTTP status code to return to the client when they provide an invalid Host or Referer header in their request, or when they fail to provide one at all when one is required? I'm thinking 401 Unauthorized, but I wanted to get a second opinion. An argument could also be made for 400 Bad Request, or I suppose, 412 Precondition Failed.

Does the server have an obligation to notify the client why their request is being rejected via response headers or body (e.g. A whitelisted Host is required) or is it ok to respond with an error code and leave the client wondering for security/obfuscation purposes?

Answer 1

You might be correct, best match seems to be Unauthorized. But the best matching HTTP status code is not 401, it is actually 403.

403 status code says The request was valid, but the server is refusing action. The user might not have the necessary permissions for a resource, or may need an account of some sort. and the latter part of this sentence fits your use case perfectly.

See: https://stackoverflow.com/a/6937030/945214

To all unauthorized/unauthenticated requests, it is not advisable to respond back with any explaination as it would be an information leakage from your server: http://projects.webappsec.org/w/page/13246936/Information%20Leakage.