HTTP status code for "disabled temporarily" - http-status-codes

I would like to return a HTTP status code if signups for my site are currently disabled.
Would 503 work for this and/or is there a more appropriate code for this kind of request.

503 looks appropriate.
From Wikipedia:
503 Service Unavailable
The server is currently unavailable (because it is overloaded or down for maintenance). Generally, this is a temporary state.

Related

Respond with 403 in an HTTPS proxy

I want to block some sites with my proxy by responding with 403. I succeeded with responding in such a way in an HTTP proxy, but when I get the CONNECT method, I respond with:
HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Proxy-agent: smth
Connection: close
But users still get the ERR_TUNNEL_CONNECTION_FAILED. What can I do to provide users with a nice 403 error?
RFC 2817 does not disallow 4xx codes, and the Draft has the section "4. Extensibility" that states that
"The tunneling handshake is freely extensible using the HTTP/1.x headers;"
But it looks like all browsers decided to just ignore almost every non-2xx codes for security reasons.
Here are some bugs reports:
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565641(v=vs.85)
Internet Explorer 8 has a feature that ensures that the secure connection is made all the way to the target server. If it isn't, then no page is displayed.
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
I realize that I'm way late to the party here, but [...] this fix is terrible for proxy admins (myself included). Our proxy returns a 403 forbidden for filtered SSL content and an error page about why the content is blocked, and Firefox just drops all of it on the floor
https://bugs.chromium.org/p/chromium/issues/detail?id=7338
So that's the way it is.

Response code: 503 Response message: Service Unavailable

I have given two url in csv file and trying to load that in jmeter. I am getting 503 response code.
As per HTTP 503 status code description
The HyperText Transfer Protocol (HTTP) 503 Service Unavailable server error response code indicates that the server is not ready to handle the request.
Common causes are a server that is down for maintenance or that is overloaded. This response should be used for temporary conditions and the Retry-After HTTP header should, if possible, contain the estimated time for the recovery of the service.
Note: together with this response, a user-friendly page explaining the problem should be sent.
Caching-related headers that are sent along with this response should be taken care of, as a 503 status is often a temporary condition and responses shouldn't usually be cached.
So I can think of at least 3 possible issues:
Your server is really overloaded, you can try checking Response Data tab of the View Results Tree listener - if you're lucky - you will the the aforementioned "user-friendly page explaining the problem"
Your request is malformed and server is sending 503 response instead of 4xx which indicates client-side error. Double check what URL(s) you're trying to open by looking into Request tab of the View Results Tree listener and try to open it in the browser. If you're building the URL from parts (i.e. host, port, protocol, query string, etc.) - you might want to check if the values are correctly read from the CSV file using Debug Sampler
I fail to see HTTP Header Manager in your Test Plan, some servers check the client Headers, for example User-Agent or Accept and may report an error if the required header is missing (i.e. indicating that the browser is not supported)

HTTP status code for a resource infected by virus

I'm developing an application which acts as an Http-Proxy for serving files from an external resource. It actually downloads the file from the external resource, checks for viruses and if the file is not infected, returns the file to the client.
My problem is, in case of the file is infected, what HTTP Status code my service should return? I suppose that any type of 4xx error codes is not appropriate for that situation because this class of code is intended for Client errors.
Is a 502 (Bad Gateway) error more appropriate?
Is there any kind of Standard that covers this situation?
I think you are right maestromarko : 502 Bad Gateway. Read the specifications here:
The 502 (Bad Gateway) status code indicates that the server, while
acting as a gateway or proxy, received an invalid response from an
inbound server it accessed while attempting to fulfill the request.
Your proxy is acting as a Gateway and he received what it conciders is invalid as there are virus in it.
It is not a 4xx class error, because whatever the client changes in the request, the result will still be an error.
See also this decision diagram
Http response codes are only meant to handle http specific conditions so I don't think there is a correct answer as such. But some possibilities...
204 - "The server successfully processed the request and is not returning any content"
403 - "The request was valid, but the server is refusing action"
https://en.m.wikipedia.org/wiki/List_of_HTTP_status_codes

Http status code for bad params in post request

I have a server in which the client can register itself as a device (like a mobile device). For the registration, the device must be associated with another resource (say an user) which is already registered on the server. To do that, the client sends a Http Post request to the server, with two params, its own ID and the associated resource ID.
I need to choose an Http Status code to return when the client ask the server to do some procedure and one of the resources indicated in the parameters are not found.
I suggested 404, but my professor said that 404 is used the resource associated to the URI is not found, not when you submit a well-formed request with bad parameters.
What is the most suitable http status and why would you choose?
In my opinion, it fits to:
400 - Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
OR
403 - Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
Ref: fc2616
I would use 403 'Forbidden' - meaning, you are forbidden from accessing the page with the request you have sent

Proper HTTP status to return for hacking attempts

I have a system that logs information and sometimes find a particular IP address doing something nasty, like trying to exploit phpMyAdmin (even though it isn't even installed on the system).
When I find these offenders, I add the IP address to a block list that returns a small message whether the page exists or not and log the IP address and their query string so I can keep tabs on them.
Problem is, most of them appear to be scripts that scan, and I am still technically returning a HTTP status code of 200 with the small message. I want to be more forward with the status code, but I am not sure which one best applies.
I found the list here, and it seems that 401 or 403 best apply. Which is the best code for "banning" an IP address?
403 or 404 is best suited. See the reference for 403:
"(...) If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead."
Source: https://www.rfc-editor.org/rfc/rfc2616#section-10.4.4
For example you can return a status 403 - Forbidden and describe the reason in the response body. I'm not sure whether it is allowed to return a status code like 403 - Banned for .... In any case, innocent users are probably especially interested in the reason for the 403.

Resources