Menu
I'm developing an API and I always try to use the most correct http status codes for each scenario.
One of this scenarios is the response for POST requests. Per example, a POST method for an endpoint /orders/ receive some informations, like a customer:
{
customerDocument: {number: "123.456.789"},
// other informations for create a order
}
So, my questions is: if this number from customerDocument not exists, is it Ok to return a 404 status code error with a nice message telling that the customer was not found?
I normally use 404 only for GET in the specific resources (the most obvious usage), like:
/customers/{number}/
In business validations like "The customer is not active", I normally use the http status code 422 for any http method (POST, PUT, GET, etc). I'm in doubt if I can use 404 or 422 for my POST example.
213
Overview. When communicating via HTTP, a server is required to respond to a request, such as a web browser request for a web page, with a numeric response code and an optional, mandatory, or disallowed (based upon the status code) message. In code 404, the first digit indicates a client error, such as a mistyped Uniform Resource Locator (URL).
The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists. I just realized that’s the fourth post in this series and 404 Not Found has been involved in all posts so far.
But it was obvious that in certain circumstances we can inadvertently disclose information that a malicious user could use to their advantage just by returning the real HTTP status code. One of those situations is when the resource is forbidden (403).
From RESTful API point of view, endpoint /orders/ is a resource, no matter it accepts GET or POST or something else. 404 is only appropriate when the resource /orders/ itself does not exist. If /orders/ endpoint exist, but its invocation failed (no matter what reasons), the response status code must be something other than 404.
I think 400 is the appropriate status code in this scenario, given its definition from Wikipedia:
400 Bad Request
The server cannot or will not process the request due to an apparent client error.
According to the description, semantically, 422 is better ("The request was well-formed but was unable to be followed due to semantic errors."). However, 422 is introduced for WebDAV, so it is better to use general purpose status code such as 400.
400 is not the perfect status code, as whether document number exists or valid is not so apparent. However, excludes special-purpose status code such as 422, 400 is the best option.
Why 404 is not appropriate?
From RESTful API point of view, endpoint /orders/ is a resource, no matter it accepts GET or POST or something else. 404 is only appropriate when the resource /orders/ itself does not exist. If /orders/ endpoint exist, but its invocation failed (no matter what reasons), the response status code must be something other than 404.
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
