Should I pass the 403 on to the client so they know to work on their account permissions? Should I return a 424 since there was a problem with a dependent service, or should my response be a 5xx status code?
I've scoured the internet and have been unable to find anything useful, although I imagine this is a fairly common situation. Thanks in advance.
Related
Good afternoon, let me ask
I created a service API using Laravel, but one of the API urls when I sent the response parameter was 403 or Forbidden. even though before it was fine, it worked smoothly. And I raised it to the server instead it became Forbide. Anyone know why? thank you for answering
If it is ok on local and getting a forbidden error on the server, the problem might be caused by the webserver application. please take a look at this link.
I have a web api which is deployed on IIS.
Api's are going through load test using load runner and almost on all alternative api call, getting 403 error response code, struggling to identify the issue, call is not going to the API, its returned back from IIS
I am doing bearer token authorization, somehow token which were incoming with each request were not valid, that is why the issue was occurring, to overcome this we have increased the lifetime of token to 1 hour and request load test team to generate the token once and send that token only with each request so that we can now see the proper execution time for each end point.
403 error indicates that access to the requested URL by the client is Forbidden for some reason. you need to provide detailed error message snapshot and what is the sub status code. and check that you assign this permission to the site folder:1) IIS_IUSRS,2)NETWORK SERVICE,3)IUSR
This is the responce i am getting when trying to upload a file from my client(PHP),My server is on WebApi which is hosted in one server.In my webapi i have allowed all CORS related things still i am getting this error.
Have you checked this tutorial?
Maybe when you say
In my webapi i have allowed all CORS related things
you didn't do that correctly, or maybe you enabled too many options at the same time.
It's hard to give you more details without access to your actual configuration.
There are also many posts on the same subject here on SO, have you checked them?
I have a system that logs information and sometimes find a particular IP address doing something nasty, like trying to exploit phpMyAdmin (even though it isn't even installed on the system).
When I find these offenders, I add the IP address to a block list that returns a small message whether the page exists or not and log the IP address and their query string so I can keep tabs on them.
Problem is, most of them appear to be scripts that scan, and I am still technically returning a HTTP status code of 200 with the small message. I want to be more forward with the status code, but I am not sure which one best applies.
I found the list here, and it seems that 401 or 403 best apply. Which is the best code for "banning" an IP address?
403 or 404 is best suited. See the reference for 403:
"(...) If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead."
Source: https://www.rfc-editor.org/rfc/rfc2616#section-10.4.4
For example you can return a status 403 - Forbidden and describe the reason in the response body. I'm not sure whether it is allowed to return a status code like 403 - Banned for .... In any case, innocent users are probably especially interested in the reason for the 403.
How oData or AJAX services should respond when the authentication cookie is expired and it's time to renew?
What should the server send to the client when
An oData or AJAX service access is forbidden (access denied)
When the session credentials are stale, and need to be renewed, perhaps by redirecting to an ADFS, OpenID, or Azure ACS IDP
Just looking in Wikipedia lets me guess that I should send some version of 403.x for the first scenario, and a 401 for the second scenario.
Please confirm if the above is correct, and what I should include in the response header and body as well.
Some examples I assume to be incorrect do the following:
Silently error out the AJAX service and return no data
Attempt to redirect the AJAX call to the IDP
Send error text to the client that is not in JSON format
its always safe to play with the HTTP Status codes instead of cooking up your own tokens or anything of that sort.
Since the fundamentals of OData is to make it possible for any client which knows how to communicate HTTP, it makes sense to play around the HTTP status code. The clients will decide what to do on a particular status code.
HTTP Status Codes are the way to go. OData specifically doesn't define anything that is already implemented at a lower level (such as security and authentication.)
401 is for Unauthenticated, 403 is for Unauthorized. For secnario 1 you only say "Access denied" but not why you're denying access. Is the user not authenticated? Then return 401. Is the user authenticated but lacking privileges? Then return 403.
For scenario 2, I would agree, return a detailed 401 status (i.e. with a valid "WWW-Authenticate" header for your authentication provider.)
The Wikipedia article I recommend starting at (you may have already found this) is: https://secure.wikimedia.org/wikipedia/en/wiki/List_of_HTTP_status_codes
Hope this helps someone. :-)