wcarhart
Reputation: 2773
What's the proper HTTP error code to use when request is missing origin header?
I am designing an API and a requirement to access some endpoints is the Origin header must be set in the request. I am rejecting requests that either (a) are missing the header altogether or (b) are sending requests from an origin that is not in a specified allowlist.
When I reject requests that do not meet these criteria, what is the correct HTTP error code to use? I initially thought 401 or 403, but there's not any true authentication/authorization issue in these cases. 400 feels too generic. Is there a code more specific to this scenario?
Upvotes: 1
Views: 564
Answers (1)
rhinosforhire
Reputation: 1345
The 400 may feel "too generic" but I think it's for this exact scenario where you are rejecting incomplete or otherwise bad requests.
Upvotes: 1
Related Questions
- What status code should I return for a connection error?
- What is the most appropriate HTTP Status Code for Invalid Host/Referer request header?
- HTTP status code for invalid format
- What HTTP status code use when the required header is not specified?
- Is the "No 'Access-Control-Allow-Origin' header" error message from the browser or from XmlHttpRequest?
- Appropriate HTTP status code for request specifying invalid Content-Encoding header?
- What's the right HTTP error code if parsing the request fails
- Proper HTTP status code to send on application error
- What is the most appropriate HTTP response code for a resource known NOT to exist?
- How to send a HTTP "Bad Request" Response