According to http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.2 the only response ever mentioned regarding an HTTP OPTIONS request is a 200. However, there seem to be cases such as when the content-length is 0 that a 204 would be more appropriate. Is it appropriate for an HTTP OPTIONS request to return a 204?
The 204 (No Content) status code indicates that the server has successfully fulfilled the request and that there is no additional content to send in the response payload body. While 200 OK being a valid and the most common answer, returning a 204 No Content could make sense as there is absolutely nothing to return.
The HTTP 204 No Content success status response code indicates that a request has succeeded, but that the client doesn't need to navigate away from its current page.
The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk ( * ) to refer to the entire server. Request has body.
This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.
RFC 2616 says:
A 200 response SHOULD...
...
If no response body is included, the response MUST include a Content-Length field with a field-value of "0".
which indeed makes it unclear whether the 200 applies to the whole paragraph or only the first sentence. If you wanted to play it safe, you'd let the MUST take precedence (and it wouldn't cost you much).
RFC 7231, which obsoletes RFC 2616, changed the wording to
A server generating a successful response to OPTIONS SHOULD...
...
A server MUST generate a Content-Length field with a value of "0" if no payload body is to be sent in the response.
which makes the last sentence apply in the general sense to 2xx statuses, and the MUST prevails.
So, Content-Length MUST be sent. But a Content-Length cannot be sent with a 204:
RFC 2616 says it like so:
The presence of a message-body in a request is signaled by the inclusion of a Content-Length or Transfer-Encoding header field...
... All 1xx (informational), 204 (no content), and 304 (not modified) responses MUST NOT include a message-body.
And RFC 7230 clarifies this as well:
A server MUST NOT send a Content-Length header field in any response with a status code of 1xx (Informational) or 204 (No Content).
That's how I understand it, anyway.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With