Menu
We have an ASP.Net MVC3 site only accessible over HTTPS, by using the RequireHTTPS attribute on the controller.
We are receiving numerous HTTP HEAD method requests, mainly from what appear to be Twitter bots. The default ASP.Net/MVC3 response is a '500 Internal Server Error', and are being caught/logged by elmah and log4net (now filtered out!).
I could write a specific controller and route to handle these non-HTTPS requests as per this question - Responding to HEAD Request in asp.NET MVC 3.
But, from the bots perspective what would be the best response? 200 to show the server is alive, a 302 redirect to the HTTPS url, or stick with the 500 as the site isn't accessible over HTTP?
450
The HTTP HEAD method requests the headers that would be returned if the HEAD request's URL was instead requested with the HTTP GET method. For example, if a URL might produce a large download, a HEAD request could read its Content-Length header to check the filesize without actually downloading the file.
The only difference between HTTP HEAD and GET requests is that for HTTP HEAD, the server only returns headers without body. The HTTP HEAD method is much faster than the HTTP GET method because much less data is transferred in HEAD requests.
The HTTP HEAD method is almost identical to the GET method, but the only difference is that it will not return any response body. For example, if GET/users return a record of users, then HEAD/users make the same request, but it will not return any of the users' records.
The HEAD method is used to ask only for information about a document, not for the document itself. HEAD is much faster than GET, as a much smaller amount of data is transferred. It's often used by clients who use caching, to see if the document has changed since it was last accessed.
You could respond with
405 Method Not Allowed
which means
The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.
or with
501 Not Implemented
which means
The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource.
Personally, I would go with the 405 since it's an error on the client side, a "Hey man, we don't serve that stuff here." seems more appropriate to me than "What the hell are you talking about? I don't understand it." one, the latter is suggested by the the server does not recognize the request method bit of the 501 description.
All the HTTP status codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
