4

What's the best HTTP status code to use in response to an HTTP GET for a resource that's corrupt or semantically invalid?

E.g., consider a request to GET /person/1234 where data for person ID 1234 exists on the server but violates some business rule, so the server refuses to use it.

  • 404 doesn't apply (because the data actually exists).
  • 4xx in general seems not ideal (because the problem is on the server end, not under the client's control).
  • 503 seems to apply to the service as a whole, not a particular resource.
  • 500 certainly fits, but it's very vague in actually telling the client what might be wrong.

Any suggestions?

Improve this question
8
  • 1
    IMO, 500 would fit best. But if you look to specification you will not find anything that would be clearly associated to corrupt/invalid resource the way you describe. 5xx is server side error without distinguishing what actually went wrong... Commented Aug 8, 2016 at 18:03
  • Interesting question... Commented Aug 8, 2016 at 18:05
  • Please clarify violates some business rule. Commented Aug 8, 2016 at 21:55
  • 1
    I think 500 is the only official response code that fits this situation. And there is nothing stopping you from including a response body that describes the reason for the failure. Commented Aug 9, 2016 at 0:17
  • 1
    Here's a useful guide for choosing an appropriate HTTP Status Code Commented Aug 9, 2016 at 7:26

2 Answers 2

Reset to default
1

After reading the comments and the linked resources, it looks like @RemyLebeau's approach is best:

I think 500 is the only official response code that fits this situation. And there is nothing stopping you from including a response body that describes the reason for the failure.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

according to iana.org:

4xx: Client Error - The request contains bad syntax or cannot be fulfilled
5xx: Server Error - The server failed to fulfill an apparently valid request

I think none of the 4xx status code should be valid as a response to an internal server error or migration or ... where client has no responsibilities or where user's inputs are expected to be rechecked. unless user's pre-filled data are involved like maybe user's package is not allowing him to access that data after a pre-determinate and known date, in such specific case It may be valid a 403 Forbidden as @Bari did suggest.

I'm not an expert but I think when the rejection or the decision of considering endpoint data as corrupt or invalid is made by server, then it will depends on what should be done next. I see 3 possible cases:

1. It is expected that somehow this is going to be fixed and client should be invited to request it back but at some future moment ==> 503 (Service Unavailable):

503 (Service Unavailable) 

   status code indicates that the server
   is currently unable to handle the request due to a temporary overload
   or scheduled maintenance, which will likely be alleviated after some
   delay.  The server MAY send a Retry-After header field
   (Section 7.1.3) to suggest an appropriate amount of time for the
   client to wait before retrying the request.

2. Something is wrong, it is not client responsibility but there is an alternative way to access data, maybe following a specific process or sending further details ==> 510 Not Extended

2. Server cannot fulfill the request but there is an alternative way that requires it to include further details. Example: when requested data is corrupt, server error response may include a list of older (or unsaved, unversioned) versions of it and expect client to be more specific about which version to select so it could be fetched instead of the corrupted one ==> 510 Not Extended

510 Not Extended

   The policy for accessing the resource has not been met in the
   request.  The server should send back all the information necessary
   for the client to issue an extended request. It is outside the scope
   of this specification to specify how the extensions inform the
   client.

   If the 510 response contains information about extensions that were
   not present in the initial request then the client MAY repeat the
   request if it has reason to believe it can fulfill the extension
   policy by modifying the request according to the information provided
   in the 510 response. Otherwise the client MAY present any entity
   included in the 510 response to the user, since that entity may
   include relevant diagnostic information.
  • case 2 was updated to include an example as IMHO it may fit in such case. but again I'm not any expert and I may be wrong about it

3. No alternative ways, nothing to be expected or none of the other cases ==> 500 should be good

500 (Internal Server Error) 

   status code indicates that the server
   encountered an unexpected condition that prevented it from fulfilling
   the request.
Improve this answer

2 Comments

I could see how 503 may be used for this, if the data can be corrected for future requests. But I don't think 510 fits, since a custom extension is not being used to access the resource. I would stick with 500 with an response body describing the failure.
What I did understand from this is that a further extension to the request itself is required for the server to fulfill it. For example server error response may include a list of older working version of that corrupted data and expect you to send back the same request precising which older version of it you are requiring so corrupted data could be replaced or just fetched. what do you think @RemyLebeau ? doesn't that case fit in the context of a 510 status code ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.