CODEWITHSUNDEEP
http-status-codeshttp2http-1.1http-status-code-421
janpio
janpio

Reputation: 10902

Does it make any sense for a `HTTP/1.1` response to return HTTP status code `421 Misdirected Request`?

I am currently debugging a surprising "Bad Request" response from an API.

Request:

POST /path HTTP/1.1
...

Response:

HTTP/1.1 421 Misdirected Request
Date: Fri, 30 Nov 2018 21:59:12 GMT
...
Via: https/1.1 subdomain.example.org (ApacheTrafficServer/7.1.4)
...

Per my research, HTTP status code 421 was only added with the http/2 specification. As you can see, my client is sending a HTTP1.1 request.

Does it make any sense to use it in the response to a HTTPS/1.1 request? What could it mean there?

Update: Further research indicates that this 421 response is triggered by an invalid CSRF token and Cookie value in the header, retrying the request with a verifiable valid combination returns the expected result with 200 OK. Unfortunately this doesn't really explain anything.

Upvotes: 2

Views: 1317

Answers (1)

Barry Pollard
Barry Pollard

Reputation: 45905

421 was added for HTTP/2 which allowed connection reuse. If a client reused a connection incorrectly (like Firefox used to) then the server should respond with this.

However that doesn’t mean it’s an HTTP/2 only status code. For example if a load balancer takes HTTP/2 requests in and passes them to back end servers over HTTP/1.1, then one of those backend servers can reject a request over HTTP/1.1 if it believes it was incorrectly sent that request. As you can see your request was sent via an Apache Traffic Server, so I suspect that is what happened here.

Upvotes: 2

Related Questions