Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can an HTTP OPTIONS request return a 204 or should it always return 200?

According to http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.2 the only response ever mentioned regarding an HTTP OPTIONS request is a 200. However, there seem to be cases such as when the content-length is 0 that a 204 would be more appropriate. Is it appropriate for an HTTP OPTIONS request to return a 204?

like image 508
user1675009 Avatar asked Feb 05 '13 08:02

user1675009


People also ask

Does body return 204?

The 204 (No Content) status code indicates that the server has successfully fulfilled the request and that there is no additional content to send in the response payload body. While 200 OK being a valid and the most common answer, returning a 204 No Content could make sense as there is absolutely nothing to return.

What is a 204 HTTP code?

The HTTP 204 No Content success status response code indicates that a request has succeeded, but that the client doesn't need to navigate away from its current page.

What is HTTP request option?

The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk ( * ) to refer to the entire server. Request has body.

Is HTTP options a security vulnerability?

This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.


1 Answers

RFC 2616 says:

A 200 response SHOULD...

...

If no response body is included, the response MUST include a Content-Length field with a field-value of "0".

which indeed makes it unclear whether the 200 applies to the whole paragraph or only the first sentence. If you wanted to play it safe, you'd let the MUST take precedence (and it wouldn't cost you much).

RFC 7231, which obsoletes RFC 2616, changed the wording to

A server generating a successful response to OPTIONS SHOULD...

...

A server MUST generate a Content-Length field with a value of "0" if no payload body is to be sent in the response.

which makes the last sentence apply in the general sense to 2xx statuses, and the MUST prevails.

So, Content-Length MUST be sent. But a Content-Length cannot be sent with a 204:

RFC 2616 says it like so:

The presence of a message-body in a request is signaled by the inclusion of a Content-Length or Transfer-Encoding header field...

... All 1xx (informational), 204 (no content), and 304 (not modified) responses MUST NOT include a message-body.

And RFC 7230 clarifies this as well:

A server MUST NOT send a Content-Length header field in any response with a status code of 1xx (Informational) or 204 (No Content).

That's how I understand it, anyway.

like image 98
amichair Avatar answered Oct 03 '22 22:10

amichair