1

I'm writing a web service with REST schemantics where the user with a standards compliant web browser will be filling a form which is processed by the server. To avoid double submit if the user presses Reload after receiving the response, the server always replies to any form submission (HTTP POST) with HTTP status 303 and gives user visible response with the following HTTP GET request. I'm currently using HTTP status 200 OK for the returned page.

This seems to work fine in all browsers in practice both for logically failed and successful forms with human users. However, I'm wondering, is the HTTP status 200 really the correct status code for the GET request, if the original form submission was not actually accepted?

For example, the form might contain a field for email addess and if the user enters non-acceptable email (whatever validation the server is doing during the POST submission), the form should be re-rendered via the GET request (after 303 response in between) and the problematic field should be hightlighted (I can do this server-side just fine). However, Using HTTP status 200 for the rendered view seems a bit weird because the form submission logically failed.

It would seem logically better if I could use some 400 series status code for the actual POST request but I have to use HTTP 303 status code to get the correct schemantics to switch from POST request to GET request.

Should the GET request use something else but HTTP status 200 when the previous POST request before 303 redirect technically succeeded but logically/schemantically failed? If I were to reply to the POST request with HTTP status 303 and reply to the following GET request with HTTP status 422, would that cause problems with some user agents? Technically the returned page is totally okay (to allow 200 OK) but the form content as filled by the user was unacceptable and I'll be prefilling all the other form data but password fields on the re-rendered form to match original user input. And nothing was actually stored on the server side so 422 would make sense, too.

One existing question What's an appropriate HTTP status code to return by a REST API service for a validation failure? seems to be about the same thing but without using HTTP status 303 response for the initial request in the middle of the sequence.

Improve this question

1 Answer 1

Reset to default
0

One of the points of REST is that everybody understands messages the same way.

In the case of a GET request, the request means "give me the current selected representation of the target resource" (see RFC 9110). Normal responses would be 200 (you asked for the current representation, here it is) or 404 (there isn't a current representation).

However, Using HTTP status 200 for the rendered view seems a bit weird because the form submission logically failed.

It shouldn't seem at all weird. The client has asked for a current representation of the target resource; the current representation of the target resource is a form for making corrections. The fact that this is the current representation because of an implementation detail of the server's processing of other requests does not figure into the decision at all.

The important principle to understand is that HTTP response codes are meta-data of the transfer of documents over a network domain. They aren't intended to tell us anything about the semantics of the documents being transferred.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I agree that just applying the rationale that "HTTP is just transfer of documents over a network" would result in 200 being the correct status. However, that would make it impossible to signal at HTTP level that the POST request was denied / failed. The fact that status codes 401, 404 and 422 (among many other) do exist makes me believe that the original intent was to avoid hiding the failure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.