Reputation: 332
Should an optional, statically-defined resource that is unimplemented be defined as 403 or 501 (or something else)?
I have a device for which I am implementing an HTTP API and defining it via OpenAPI 3.0. The following paths are defined:
/scan/inventory/start
/scan/location/start
/scan/direction/start
This API is designed to run on various devices, but not all of them implement the location or direction feature, but all do implement the inventory feature. The available features can be queried by GETing the /scan path.
For a device that does not support location my team has been waffling on the error code to return if someone attempts to use it. We want to provide useful feedback when this happens, so 404 seems ruled out, especially since the path is documented in our API. After reading and re-reading RFC-7231 and various summaries of it, 501 or 403 seemed like good choices.
At first, "501 Not Implemented" seemed like a good choice, but the 5XX class of errors seems to suggest a more serious server error.
Since we want to provide feedback, "403 Forbidden" seems good and puts the onus on the client for accessing a bad path.
I'm sure part of the problem is that we're attempting to use a specification (HTTP) that was not necessarily designed for arbitrary APIs.
What would you suggest we do?
Upvotes: 0
Views: 89
Answers (1)
Reputation: 48922
This is a pretty straightforward 404.
The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
403 isn't right, since that indicates that the user isn't "authorized" to access that resource. It implies that the issue lies on the client side. But in this case there simply is no resource.
501 isn't right, since that "indicates that the server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource." In this case the server has no problem supporting the request, it's just that the resource doesn't exist.
Note that "server" refers to the web server. The issue isn't whether or not your application as a whole supports some bit of functionality, it's whether the web server is capable of handling the HTTP request it was sent. It's not appropriate to use HTTP status codes to indicate that kind of high-level application state.
Also note that the status code isn't just a private contract between your application and its users. All actors in the web stack—loggers, intermediate caches, browsers, etc.—might change their behavior depending on the status code. That's why it's important to reserve things like 5xx for actual server errors.
To summarize, since the resource at that URI doesn't exist, the best way to provide useful feedback is to return a 404. If you want to distinguish between features that are never supported and those that are simply unsupported for that device you should use a mechanism other than the status code. Fortunately you're off to a good start by listing the available features at /scan.
Upvotes: 1
Related Questions
- For REST resources that do not exist, when to return 404 and when to return 403?
- Is HTTP 501 appropriate for an unimplemented API?
- Should a 403/404 supersede a 405 response?
- Should I return a 404 error on a resource resulting in empty set?
- Should Web API return 403 Forbidden or not have an endpoint at all?
- REST API Design: Respond with 406 or 404 if a resource is not available in a requested representation
- Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
- Are there any issues with using "501 Not Implemented" instead of a OPTIONS?
- Which HTTP code to use for an empty subresource in a REST API?
- What should the HTTP response be when the resource is forbidden but there's an alternate resource?