Reputation: 545
Should Web API return 403 Forbidden or not have an endpoint at all?
I have a web API and for one Model, I only allow to get by id [GET] api/models/{modelId} or update [PUT] api/models/{modelId}. API doesn't support POST, DELETE or get collection ([GET] api/models).
Should still have these methods in the Controller and return Forbid() 403 status?
Or should I simply remove these methods?
Upvotes: 0
Views: 2224
Answers (1)
Reputation: 7533
The full list of HTTP response status codes may help you identify the most appropriate response.
403 Forbidden does not fit the situation you describe:
The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.
On the other hand, 405 Method Not Allowed seems to fit this scenario:
The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods,
GETandHEAD, must never be disabled and should not return this error code.
Note:
The server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.
Upvotes: 1
Related Questions
- ASP.NET Web API : Correct way to return a 401/unauthorised response
- What should be returned when an invalid Web API uri is called?
- Returning HTTP 403 in a WebAPI method
- How to protect open/public Web API endpoints
- how to return a 403 status code on apicontroller action
- Web API, return 403 when /token call is not secure
- Returning a 403 from a webapi2 controller
- Web API Returning a 405. Shouldn't it be a 404?
- How to make ASP.NET Web API respond 403 or 401 appropriately?
- .Net Web API throw exception/return response/return error response for 404/400 response?