Appendix B. The HTTP Response Code Top 42
Many web services use HTTP status codes incorrectly. The human web hardly uses them at all. Human beings discover what a document means by reading it, not by looking at an attached numeric code. You’ll see “404” in an HTML page that talks about a missing document, but your attention is on the phrase “missing document,” not on the number. And even the “404” you see is part of the HTML page, put there for human convenience: your browser doesn’t show you the underlying 404 response code.
So when there’s an error condition on the human web, most applications send a response code of 200 (“OK”), even though everything’s not OK. The error condition is described in an HTML entity-body, and a human being is supposed to figure out what to do about the error. The human never sees the response code in the first place, and the browser treats most response codes the same way, so why should the server bother picking the “right” code for a given situation?
On the programmable web, there are no human beings guiding the behavior of clients. A computer program can’t reliably figure out what a document means just by looking at it. The same document might be an error message in one context, and the legitimate fulfillment of a GET request in another. We need some way of signalling which way of looking at the response is correct. This information can’t go into the entity-body document, because then getting it out would require an understanding of the document. So on the programmable web, HTTP response codes become very important. They tell a client how to deal with the document in the entity-body, or what to do if they can’t understand the document. A client—or an intermediary between server and client, like a firewall—can figure out how an HTTP request went, just by looking at the first three bytes of the response.
The problem is that there are 41 official response codes, and standards like WebDAV add even more. Many of the codes are rarely used, two of them are never used, and some are only distinguishable from one another by careful hairsplitting. To someone used to the human web (that’s all of us), the variety of response codes can be bewildering.
In this appendix I give a brief explanation of every standard status code, with tips on when to use each one in your RESTful services, and my personal opinion as to how important each one is in the context of this book. If a client has to do something specific to get a certain response code, I explain what that is. I also list which HTTP response headers, and what kind of entity-body, the server ought to send along with a response code. This is an appendix for the web service author, but it’s also for the client author, who’s received a strange response code and doesn’t know what it means.
I cover all 41 codes from the HTTP standard, even though some of them (mainly the ones to do with proxies) are a little beyond the scope of this book. I also cover 207 (“Multi-Status”), a response code from the WebDAV extension which I mentioned back in Chapter 8. WebDAV defines five response codes besides 207, and some web servers define the nonstandard code 509 (“Bandwidth Limit Exceeded”). Though not part of HTTP, these status codes are fairly well established, and you can use them if you like. I don’t cover them because they’re more explicit versions of standard response codes. You can always send 503 (“Service Not Available”) instead of the 509 response code, and 409 (“Conflict”) instead of WebDAV’s 423 (“Locked”). I cover 207 (“Multi-Status”), because no standard status code does anything similar.
Three to Seven Status Codes: The Bare Minimum
If you don’t like the proliferation of status codes, you can serve just three and still convey the basic information a client needs to know to handle the response.
- 200 (“OK”)
Everything’s fine. The document in the entity-body, if any, is a representation of some resource.
- 400 (“Bad Request”)
There’s a problem on the client side. The document in the entity-body, if any, is an error message. Hopefully the client can understand the error message and use it to fix the problem.
- 500 (“Internal Server Error”)
There’s a problem on the server side. The document in the entity-body, if any, is an error message. The error message probably won’t do much good, since the client can’t fix a server problem.
There are four more error codes that are especially common in web services:
- 301 (“Moved Permanently”)
Sent when the client triggers some action that causes the URI of a resource to change. Also sent if a client requests the old URI.
- 404 (“Not Found”) and 410 (“Gone”)
Sent when the client requests a URI that doesn’t map to any resource. 404 is used when the server has no clue what the client is asking for. 410 is used when the server knows there used to be a resource there, but there isn’t anymore.
- 409 (“Conflict”)
Sent when the client tries to perform an operation that would leave one or more resources in an inconsistent state.
SOAP web services use only the status codes 200 (“OK”) and 500 (“Internal Server Error”). The 500 status code happens whether there’s a problem with the data you sent the SOAP server, a problem with processing the data, or an internal problem with the SOAP server itself. There’s no way to tell without looking at the body of the SOAP document, which contains a descriptive “fault.” To know what happened with the request you can’t just look at the first three bytes of the response: you have to parse an XML file and understand what it says. This is another example of how Big Web Services reimplement existing features of HTTP in opaque ways.
1xx: Meta
The 1xx series of response codes are used only in negotiations with the HTTP server.
100 (“Continue”)
Importance: Medium, but (as of time of writing) rarely used.
This is one of the possible responses to an HTTP look-before-you-leap (LBYL) request, described in Chapter 8. This status code indicates that the client should resend its initial request, including the (possibly large or sensitive) representation that was omitted the first time. The client doesn’t need to worry about sending a representation only to have it rejected. The other possible response to a look-before-you-leap request is 417 (“Expectation Failed”).
Request headers: To make a LBYL request,
the client must set the Expect
header to the literal value “100-continue.” The client must also set
any other headers the server will need when determining whether to
respond with 100 or 417.
101 (“Switching Protocols”)
Importance: Very low.
A client will only get this response code when its request uses the
Upgrade
header to inform the server
that the client would prefer to use some protocol other than HTTP. A
response of 101 means “All right, now I’m speaking another protocol.”
Ordinarily, an HTTP client would close the TCP connection once it read
the response from the server. But a response code of 101 means it’s
time for the client to stop being an HTTP client and start being some
other kind of client.
The Upgrade
header is hardly
ever used, though it could be used to trade up from HTTP to HTTPS, or
from HTTP 1.1 to a future version. It could also be used to switch
from HTTP to a totally different protocol like IRC, but that would
require the web server also to be an IRC server and the web client to
also be an IRC client, because the server starts speaking the new
protocol immediately, over the same TCP connection.
Request headers: The client sets Upgrade
to a list of protocols it’d rather
be using than HTTP.
Response headers: If the server wants to
upgrade, it sends back an Upgrade
header saying which protocol it’s switching to, and then a blank line.
Instead of closing the TCP connection, the server begins speaking the
new protocol, and continues speaking the new protocol until the
connection is closed.
2xx: Success
The 2xx error codes indicate that an operation was successful.
200 (“OK”)
Importance: Very high.
In most cases, this is the code the client hopes to see. It indicates that the server successfully carried out whatever action the client requested, and that no more specific code in the 2xx series is appropriate. My bookmarking service sends this code, along with a representation, when the client requests a list of bookmarks.
Entity-body: For GET requests, a representation of the resource the client requested. For other requests, a representation of the current state of the selected resource, or a description of the action just performed.
201 (“Created”)
Importance: High.
The server sends this status code when it creates a new resource at the client’s request. My bookmarking service sends this code in response to a POST request that creates a new user account or bookmark.
Response headers: The Location
header should contain the canonical
URI to the new resource.
Entity-body: Should describe and link to
the newly created resource. A representation of that resource is
acceptable, if you use the Location
header to tell the client where the resource actually lives.
202 (“Accepted”)
Importance: Medium.
The client’s request can’t or won’t be handled in real time. It will be processed later. The request looks valid, but it might turn out to have problems when it’s finally processed.
This is an appropriate response when a request triggers an asynchronous action, an action in the real world, or an action that would take so long that there’s no point making the web client wait around. It’s an important part of the RESTful system for asynchronous operations that I described in Chapter 8.
Response headers: The pending request
should be exposed as a resource so the client can check up on it
later. The Location
header can
contain the URI to this resource.
Entity-body: If there’s no way for the client to check up on the request later, at least give an estimate of when the request will be processed.
203 (“Non-Authoritative Information”)
Importance: Very low.
This status code is the same as 200 (“OK”), but the server wants the client to know that some of the response headers do not come from the server. They may be mirrored from a previous request of the client’s, or obtained from a third party.
Response Headers: The client should know that some headers may not be accurate, and others may be passed along without the server knowing what they mean.
204 (“No Content”)
Importance: High.
This status code is usually sent out in response to a PUT, POST, or DELETE request, when the server declines to send back any status message or representation. The server may also send 204 in conjunction with a GET request: the resource requested exists, but has an empty representation. Compare 304 (“Not Modified”).
204 is often used in Ajax applications. It lets the server tell the client that its input was accepted, but that the client shouldn’t change any UI elements.
Entity-body: Not allowed.
205 (“Reset Content”)
Importance: Low.
This is just like 204 (“No Content”), but it implies that the client should reset the view or data structure that was the source of the data. If you submit an HTML form in your web browser and the response is 204 (“No Content”), your data stays in the form and you can change it. If you get a 205, the form fields reset to their original values. In data entry terms: 204 is good for making a series of edits to a single record; 205 is good for entering a series of records in succession.
Entity-body: Not allowed.
206 (“Partial Content”)
Importance: Very high for services that support partial GET, low otherwise.
This is just like 200 (“OK”), but it designates a response to a partial
GET request: that is, one that uses the Content-Range
request header. A client
usually makes a partial GET request to resume an interrupted download
of a large binary representation. I cover partial GET in Chapter 8.
Request headers: The client sends a value
for the Content-Range
header.
Response headers: The Date
header is required. The ETag
and Content-Location
headers should be set to
the same values that would have been sent along with the
representation as a whole.
If the entity-body is a single byte range from the
representation, the response as a whole must have a Content-Range
header explaining which bytes
of the representation are being served. If the body is a multipart
entity (that is, multiple byte ranges of the representation are being
served), each part must have its own Content-Range
header.
Entity-body: Will not contain a full representation: just one or more sequences of bytes from the representation.
207 (“Multi-Status”)
Importance: Low to medium.
This is a WebDAV extension to the HTTP standard which is useful in the response to a batch request. I showed a RESTful way of exposing batch operations in Chapter 8, and I pointed out that when a request operates on more than one resource, some operations might succeed while others fail. A single response code won’t suffice to convey the status of the request.
This response code tells the client to look in the entity-body for a list of HTTP status codes: one for each operation in the batch request. This violates the principle that the client should be able to figure out what happened to the request just by looking at the first three bytes, but when a single request carries out more than one operation, there’s no alternative.
Entity-body: Should contain an XML document that uses the WebDAV vocabulary to describe a number of HTTP responses. The WebDAV standard (RFC 2518) defines this XML vocabulary and gives several examples.
3xx: Redirection
The 3xx status codes indicate that the client needs to do some extra
work to get what it wants. They’re most commonly used with GET requests,
and they usually tell the client that it can only get the representation
it wants by sending a second GET request to some other URI. This
secondary URI is sent in the Location
response
header.
This is the trickiest set of response codes, because 301 (“Moved Permanently”), 302 (“Found”), 303 (“See Other”), and 307 (“Temporary Redirect”) are all very similar. Many applications use these status codes indiscriminately as a way of bouncing the client around from URI to URI, with little regard for what this means in terms of the underlying resources. My main goal in this section is to clear up the confusion.
300 (“Multiple Choices”)
Importance: Low.
The server can send this status code when it has multiple
representations of a requested resource, and it doesn’t know which
representation the client wants. Either the client didn’t use the
Accept-*
headers to specify a
representation, or it asked for a representation that doesn’t
exist.
In this situation, the server can just pick its preferred representation, and send it along with a 200 (“OK”) status code. But it may decide instead to send a 300 along with a list of possible URIs to different representations.
Response headers: If the server has a
preferred representation, it can put the URI to that representation in
Location
. As with other 3xx status
codes, the client may automatically follow the URI in Location
.
Entity-body: A list of URIs to representations, annotated with any information necessary to let the user make a choice between them. An XHTML list of links is a good format for this.
301 (“Moved Permanently”)
Importance: Medium.
The server knows which resource the client is trying to access, but it doesn’t care for the URI it used to request the resource. It wants the client to take note of the new URI, and use it in future requests.
You can use this status code to keep old URIs from breaking when your URIs change.
Response headers: The server should put the
canonical URI in Location
.
Entity-body: The server should send a short XHTML file with a hyperlink to the new location, but it’s not necessary.
302 (“Found”)
Importance: Very important to know about, especially when writing clients. I don’t recommend using it.
This status code is the ultimate source of most redirection-related confusion. It’s supposed to be handled just like 307 (“Temporary Redirect”). In fact, in HTTP 1.0 its name was “Moved Temporarily.” Unfortunately, in real life most clients handle 302 just like 303 (“See Other”). The difference hinges on what the client is supposed to do when it gets a 302 in response to a PUT, POST, or DELETE request. See the entry for 307 below if you’re interested in the details.
To resolve this ambiguity, in HTTP 1.1 this response code was renamed to “Found,” and response code 307 was created. This response code is still in wide use, but it’s ambiguous, and I recommend that your services send 303 and 307 instead. The only exception is if you know you’re dealing with an HTTP 1.0 client that doesn’t understand 303 or 307.
Response headers: The Location
header contains the URI to which
the client should resubmit the request.
Entity-body: Should contain a hypertext document linking to the new URI, as with 301.
303 (“See Other”)
Importance: High.
The request has been processed, but instead of the server sending a
response document, it’s sending the client the URI of a response
document. This may be the URI to a static status message, or the URI
to some more interesting resource. In the latter case, a 303 is a way
for the server to send a representation of a resource without forcing
the client to download all that data. The client is expected to send a
GET request to the value of Location
, but it doesn’t have to.
The 303 status code is a good way to canonicalize your resources. You can make them available through many URIs, but only have one “real” URI per representation. All the other URIs use a 303 to point to the canonical URI for that representation. For instance, a 303 might redirect a request for http://www.example.com/software/current.tar.gz to the URI http://www.example.com/software/1.0.2.tar.gz.
Compare to 307 (“Temporary Redirect”).
Response headers: The Location
header contains the URI of the
representation.
Entity-body: Should contain a hypertext document linking to the new URI, as with 301.
304 (“Not Modified”)
Importance: High.
This status code is similar to 204 (“No Content”) in that the response body must be empty. But 204 is used when there is no body data to send, and 304 is used when there is data but the client already has it. There’s no point in sending it again.
This status code is used in conjunction with conditional HTTP
requests. If the client sends an If-Modified-Since
header with a date of
Sunday, and the representation hasn’t changed since Sunday, then a 304
is appropriate. A 200 (“OK”) would also be appropriate, but sending
the representation again would use bandwidth to no purpose. The client
already has the representation.
Response headers: The Date
header is required. The ETag
and Content-Location
headers should be set to
the same values that would have been sent if the response code were
200 (“OK”).
The caching headers Expires
,
Cache-Control
, and Vary
are required if they’ve changed from
those sent previously.
There are complicated caching rules about this that I won’t cover here, but the server can send updated headers without sending a new body. This is useful when a representation’s metadata has changed, but the representation itself hasn’t.
Entity-body: Not allowed.
305 (“Use Proxy”)
Importance: Low.
This status code is used to tell the client that it should repeat its request, but go through an HTTP proxy instead of going to the server directly. This code is rarely used because it’s very rare for a server to care that the client use a specific proxy.
This code would be used more frequently if there were
proxy-based mirror sites. Today, a mirror site for http://www.example.com/
provides the same
content but at a different URI, say http://www.example.com.mysite.com/
. The
original site might use the 307 (“Temporary Redirect”) status code to
send clients to an appropriate mirror site.
If there were proxy-based mirror sites, then you would access
the mirror with the same URI as the original (http://www.example.com/
), but set http://proxy.mysite.com/
as your proxy.
Here, the original example.com
might use the 305 status code to route clients to a mirror proxy
that’s geographically close to them.
Web browsers typically don’t handle this status code correctly: another reason for its lack of popularity.
Response headers: The Location
header contains the URI to the
proxy.
306: Unused
Importance: None.
The 306 status code never made it into an HTTP standard. It was described in the Internet Draft “HTTP/1.1 305 and 306 Response Codes” as “Switch Proxy,” a status code sent by a proxy server to get the client to start using a different proxy. Don’t worry about it.
307 (“Temporary Redirect”)
Importance: High.
The request has not been processed, because the requested resource is not home: it’s located at some other URI. The client should resubmit the request to another URI.
For GET requests, where the only thing being requested is that the server send a representation, this status code is identical to 303 (“See Other”). A typical case where 307 is a good response to a GET is when the server wants to send a client to a mirror site. But for POST, PUT, and DELETE requests, where the server is expected to take some action in response to the request, this status code is significantly different from 303.
A 303 in response to a POST, PUT, or DELETE means that the operation has succeeded but that the response entity-body is not being sent along with this request. If the client wants the response entity-body, it needs to make a GET request to another URI.
A 307 in response to a POST, PUT, or DELETE means that the
server has not even tried to perform the operation. The client needs
to resubmit the entire request to the URI in the Location
header.
An analogy may help. You go to a pharmacy with a prescription to be filled. A 303 is the pharmacist saying “We’ve filled your prescription. Go to the next window to pick up your medicine.” A 307 is the pharmacist saying “We can’t fill that prescription. Go to the pharmacy next door.”
Response headers: The Location
header contains the URI to which
the client should resubmit the request.
Entity-body: Should contain a hypertext document linking to the new URI, as with 301.
4xx: Client-Side Error
These status codes indicate that something is wrong on the client side. There’s a problem with authentication, with the format of the representation, or with the HTTP library itself. The client needs to fix something on its end.
400 (“Bad Request”)
Importance: High.
This is the generic client-side error status, used when no other 4xx error code is appropriate. It’s commonly used when the client submits a representation along with a PUT or POST request, and the representation is in the right format, but it doesn’t make any sense.
Entity-body: May contain a document describing why the server thinks there’s a client-side error.
401 (“Unauthorized”)
Importance: High.
The client tried to operate on a protected resource without providing the proper authentication credentials. It may have provided the wrong credentials, or none at all. The credentials may be a username and password, an API key, or an authentication token—whatever the service in question is expecting. It’s common for a client to make a request for a URI and accept a 401 just so it knows what kind of credentials to send and in what format. In fact, the HTTP Digest mode of authentication depends on this behavior.
If the server doesn’t want to acknowledge the existence of the resource to unauthorized users, it may lie and send a 404 (“Not Found”) instead of a 401. The downside of this is that clients need to know, in advance, what kind of authentication the server expects for that resource: things like HTTP Digest won’t work.
Response headers: The WWW-Authenticate
header describes what kind
of authentication the server will accept.
Entity-body: A document describing the failure: why the credentials (if any were provided) were rejected, and what credentials would be accepted. If the end user can get credentials by signing up on a web site, or creating a “user account” resource, a link to the sign up URI is useful.
402 (“Payment Required”)
Importance: None.
Apart from its name, this status code is not defined in the HTTP standard: it’s “reserved for future use.” This is because there’s no micropayment system for HTTP. That said, if there ever is a micropayment system for HTTP, web services are among the first places that system will start showing up. If you want to charge your users by the web service request, and your relationship with them makes that possible, you might have a use for this status code. But note that Amazon S3 doesn’t use this status code, and it charges by the request just fine.
403 (“Forbidden”)
Importance: Medium.
The client’s request is formed correctly, but the server doesn’t want to carry it out. This is not merely a case of insufficient credentials: that would be 401 (“Unauthorized”). This is more like a resource that is only accessible at certain times, or from certain IP addresses.
A response of 403 implies that the client requested a resource that really exists. As with 401 (“Unauthorized”), if the server doesn’t want to give out even this information, it can lie and send a 404 (“Not Found”) instead.
If the client’s request is well-formed, why is this status code in the 4xx series (client-side error) instead of the 5xx series (server-side error)? Because the server made its decision based on some aspect of the request other than its form: say, the time of day the request was made.
Entity-body: Optionally, a document describing why the request was denied.
404 (“Not Found”)
Importance: High.
Probably the most famous HTTP status code. 404 indicates that the server can’t map the client’s URI to a resource. Compare 410 (“Gone”), which is slightly more helpful. A web service may use a 404 response as a signal to the client that the URI is “free”; the client can then create a new resource by sending a PUT request to that URI.
Remember that a 404 may be a lie to cover up a 403 or 401. It might be that the resource exists, but the server doesn’t want to let the client know about it.
405 (“Method Not Allowed”)
Importance: Medium.
The client tried to use an HTTP method that this resource doesn’t support. For instance, a read-only resource may support only GET and HEAD. Another resource may allow GET and POST, but not PUT or DELETE.
Response headers: The Allow
header lists the HTTP methods that
this resource does support. The following is a sample header:
Allow: GET, POST
406 (“Not Acceptable”)
Importance: Medium.
The server may send this response code when the client places so many
restrictions on what it considers an acceptable representation
(probably using the Accept-*
request headers) that the server can’t send any representation at all.
The server may instead choose to ignore the client’s pickiness, and
simply send its preferred representation along with a response code of
200 (“OK”). This is usually what happens on the human web.
Entity-body: A list of links to acceptable representations, in a format similar to that described in 300 (“Multiple Choices”).
407 (“Proxy Authentication Required”)
Importance: Low.
You’ll only see this status code from an HTTP proxy. It’s just like 401 (“Unauthorized”), except the problem is not that you can’t use the web service without credentials: it’s that you can’t use the proxy without credentials. As with 401, the problem may be that the client provided no credentials, or that the credentials provided are bad or insufficient.
Request headers: To send credentials to the
proxy, the client uses the Proxy-Authorization
header instead of
the Authorization
header. The
format is identical to that of Authorization
.
Response headers: Instead of the Authenticate
header, the proxy fills the
Proxy-Authenticate
header with
information about what kind of authentication it expects. The format
is identical to that of Authenticate
.
Note that both the proxy and the web service may require credentials, so the client may clear up a 407 only to be hit with a 401 (“Unauthorized”).
408 (“Request Timeout”)
Importance: Low.
If an HTTP client opens a connection to the server, but never sends a request (or never sends the blank line that signals the end of the request), the server should eventually send a 408 response code and close the connection.
409 (“Conflict”)
Importance: High.
Getting this response code means that you tried to put the server’s resources into an impossible or inconsistent state. Amazon S3 gives this response code when you try to delete a bucket that’s not empty. My bookmarking service gives it when you try to change your username to a name that’s already taken.
Response headers: If the conflict is caused
by the existence of some other resource (such as when you try to
change your username to a name that’s taken), the Location
header should point to the URI of
that resource: that is, the source of the conflict.
Entity-body: Should contain a document that describes the conflicts, so that the client can resolve them if possible.
410 (“Gone”)
Importance: Medium.
This response code is like 404 (“Not Found”), but it provides a little more information. It’s used when the server knows that the requested URI used to refer to a resource, but no longer does. The server doesn’t know any new URI for the resource; if it did, it would send a 301 (“Permanent Redirect”).
Like the permanent redirect, a 410 response code has the implication that the client should remove the current URI from its vocabulary, and stop making requests for it. Unlike the permanent redirect, the 410 offers no replacement for the bad URI: It’s just gone. RFC 2616 suggests using a 410 response code “for limited-time, promotional services and for resources belonging to individuals no longer working at the server’s site.”
You might be tempted to send this response code in response to a successful DELETE request, but that’s a little too cute. The client wouldn’t know whether it deleted the resource or whether it was gone before it made their request. The correct response to a successful DELETE request is 200 (“OK”).
411 (“Length Required”)
Importance: Low to medium.
An HTTP request that includes a representation should set the Content-Length
request header to the length
(in bytes) of the representation. Sometimes this is inconvenient for
the client: for instance, when the representation is being streamed
from some other source. So HTTP doesn’t require a client to send the
Content-Length
header with each
request. However, the HTTP server is within its rights to require it
for any given request. The server is allowed to
interrupt any request that starts sending a
representation without having provided a Content-Length
, and demand that the client
resubmit the request with a Content-Length
header. This is the response
code that goes along with the interruption.
If the client lies about the length, or otherwise sends too large a representation, the server may interrupt it and close the connection, but in that case the response code is 413 (“Request Entity Too Large”).
412 (“Precondition Failed”)
Importance: Medium.
The client specified one or more preconditions in its request headers, effectively telling the server to carry out its request only if certain conditions were met. Those conditions were in fact not met, so instead of carrying out the request the server sends this status code.
A common precondition is If-Unmodified-Since
. The client may PUT a
request to modify a resource, but ask that the changes take effect
only if no one else has modified the resource since the client last
fetched it. Without the precondition, the client might overwrite
someone else’s changes without realizing it, or might cause a 409
(“Conflict”).
Request headers: The client might get this
response code by using any of the If-Match
, If-None-Match
, or If-Unmodified-Since
headers.
If-None-Match
is a bit
special. If the client specifies If-None-Match
when making a GET or HEAD
request, and the precondition fails, then the response code is not 412
but 304 (“Not Modified”). This is the basis of conditional HTTP GET.
If a PUT, POST, or DELETE request uses If-None-Match
, and the precondition fails,
then the response code is 412. The response code is also 412 when a
precondition uses the If-Match
or
If-Unmodified-Since
headers, no
matter what the HTTP method is.
413 (“Request Entity Too Large”)
Importance: Low to medium.
This is similar to 411 (“Length Required”) in that the server can interrupt the client’s request with this status code, and close the connection without waiting for the request to complete. The 411 status code was for requests that didn’t specify the length of their representation. This status code is for requests that send a representation that’s too large for the server to handle.
A look-before-you-leap request (see Chapter 8) is the best way for a client to avoid being interrupted with this error. If the LBYL request gets a response code of 100 (“Continue”), the client can go ahead and submit the full representation.
Response headers: The problem may be
temporary and on the server side (a lack of resources) rather than on
the client side (the representation is just too damn big). If so, the
server may set the Retry-After
header to a date or a number of seconds, and the client can retry its
request later.
414 (“Request-URI Too Long”)
Importance: Low.
The HTTP standard imposes no official limit on the length of a URI (and, in my opinion, there shouldn’t be any). However, most existing web servers impose an upper limit on the length of a URI, and a web service may do the same. The most common cause is a client putting representation data in the URI, when it should be in the entity-body. Deeply-nested data structures can also cause very long URIs.
415 (“Unsupported Media Type”)
Importance: Medium.
The server sends this status code when the client sends a representation in a media type it doesn’t understand. The server might have been expecting XML and the client sent JSON.
If the client sends a document that’s got the right media type but the wrong format (such as an XML document written in the wrong vocabulary), a better response is the more generic 400 (“Bad Request”). That’s what I use throughout my bookmark service. If you really want to treat that case specially, you can send the WebDAV extended response code 422 (“Unprocessable Entity”).
416 (“Requested Range Not Satisfiable”)
Importance: Low.
The server sends this status code when the client asks for a series of byte-ranges from a representation, but the representation is actually too small for any of the byte-ranges to apply. In other words, if you ask for byte 100 of a 99-byte representation, you’ll get this status code.
Request headers: This status code will only
be sent when the original request included the Range
header request field. It will not be
sent if the original request included the If-Range
header request field;
Response headers: The server should send a
Content-Range
field that tells the
client the actual size of the representation.
417 (“Expectation Failed”)
Importance: Medium, but (as of time of writing) rarely used.
This response code is the flip side of 100 (“Continue”). If you make a LBYL request to see whether the server will accept your representation, and the server decides it will, you get a response code 100 and you can go ahead. If the server decides it won’t accept your representation, you get a response code 417, and you shouldn’t bother sending your representation.
5xx: Server-Side Error
The 5xx series of status codes is for representing problems on
the server side. In most cases, these codes mean the server is not in a
state to run the client’s request or even see whether it’s correct, and
that the client should retry its request later. Sometimes the server can
estimate how much later the client should retry its
request, and put that information into the Retry-After
response header.
There are fewer 5xx status codes than 4xx status codes, not because fewer things might go wrong on the server, but because there’s not much point in being specific: the client can’t do anything to fix a problem on the server.
500 (“Internal Server Error”)
Importance: High.
This is the generic server error response. Most web frameworks send this status code if they run request handler code that raises an exception.
501 (“Not Implemented”)
Importance: Low.
The client tried to use a feature of HTTP (possibly an extended feature) which the server doesn’t support.
The most common case is when a client tries to make a request that uses an extended HTTP method, like WebDAV’s COPY, which a plain web server doesn’t support. This is similar to the response code 405 (“Method Not Allowed”), but 405 implies that the client is using a recognized method on a resource that doesn’t support it. A response code of 501 means that the server doesn’t recognize the method at all.
502 (“Bad Gateway”)
Importance: Low.
You’ll only get this response code from an HTTP proxy. It indicates that there was a problem with the proxy, or between the proxy and the upstream server, rather than a problem on the upstream server.
If the proxy can’t reach the upstream server at all, the response code will be 504 (“Gateway Timeout”) instead.
503 (“Service Unavailable”)
Importance: Medium to high.
This status code means that the HTTP server is up, but the underlying web service isn’t working properly. The most likely cause is resource starvation: too many requests are coming in at once for the service to handle them all.
Since repeated client requests are probably what’s causing the problem, the HTTP server always has the option of refusing to accept a client request, rather than accepting it only to send a 503 response code.
Response headers: The server may send a
Retry-After
header telling the
client when they can try submitting their request again.
504 (“Gateway Timeout”)
Importance: Low.
Like 502 (“Bad Gateway”), you’ll only see this from an HTTP proxy. This status code signals that the proxy couldn’t connect to the upstream server.
505 (“HTTP Version Not Supported”)
Importance: Very low.
This status code is sent by a server that doesn’t support the version of HTTP the client is trying to use. Since HTTP 1.1 is backward compatible with 0.9 and 1.0, you’re not likely to see this status code anytime soon. There are still some HTTP 1.0 servers around, and you might see it if you try to use features of HTTP 1.1 on them. Any HTTP 1.1 implementation that’s complete enough to support this status code is probably also complete enough to support HTTP 1.0 and 0.9.
Entity-body: Should contain a document describing which protocols the server does support.
Get RESTful Web Services now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.