Код ошибки недостаточно прав http

Привет, читатель блога ZametkiNaPolyah.ru! Продолжим знакомиться с протоколом HTTP в рубрике Серверы и протоколы и ее разделе HTTP протокол. Эта запись целиком и полностью посвящена ошибка клиента при взаимодействие по HTTP протоколу. Мы с тобой рассмотрим коды ошибок клиента HTTP. Вообще, коды ошибок клиента в HTTP протоколе могут быть расширены любым сервером, мы рассмотрим только коды ошибок клиента, которые указаны в стандарте HTTP 1.1. Сперва, как и обычно при рассмотрение кодов HTTP протокола, мы дадим общее описания кодам ошибок клиента, а затем рассмотрим по отдельности каждый из 18 HTTP кодов ошибок клиента.

HTTP коды ошибок клиента

Общая информация о HTTP кодах ошибок клиента

Содержание статьи:

Общая информация о HTTP кодах ошибок клиента
HTTP код ошибки 400, код ошибки 401, код ошибки клиента 402, код ошибки 403, HTTP код ошибки клиента 404, ошибка клиента 405
HTTP код ошибки 406, код ошибки 407, HTTP код ошибки клиента 408, код ответа сервера 409, код ошибки 410, код ошибки клиента 411, HTTP код 412
HTTP код ошибки клиента 413, код ошибки клиента 414, ошибка клиента 415, ошибка 416, HTTP код 417

HTTP коды ошибок клиента говорят пользователю о том, что ему не удалось получить запрашиваемый ресурс, указанный в URI (запись про URI в HTTP), по вине самого пользователя или клиента, например, пользователь ошибся при вводе URL в браузере, в этом случае сервер даст ответ с кодом состояния 404. Все коды ошибок HTTP клиента начинаются с четверки. HTTP сервер всегда в случае ошибки клиента отправляет вместе с кодом состояния пояснения того, почему произошла ошибка, за исключение тех случаев, когда используется HTTP метод HEAD.

Давайте для удобства рассмотрения сведем в одну таблицу все коды ошибок HTTP клиента в одну таблицу. И не будем забывать, что в основе протокола HTTP лежит модель взаимодействия клиент-сервер, которая делит обязанности приложений на клиентские и серверные, рассматриваемый протокол довольно строго придерживается данной модели, и у нас есть специальные коды ошибок, которые происходят по вине серверных приложений и есть коды ошибок, которые происходят по вине человека или клиентского приложения, которым человек пользуется.

Код ошибки HTTP клиента	Описание кода ошибки HTTP клиента
400 Bad Request	Код состояния ошибки HTTP клиента 400: плохой запрос Такой код состояния ошибки клиента вы можете увидеть тогда, когда сервер не понял ваш запрос из-за синтаксической ошибке в HTTP запросе.
401 Unauthorized	Код состояния ошибки HTTP клиента 401: не авторизован Такой код состояния ошибки клиента вы можете увидеть в том случае, если для доступа к ресурсу требуется аутентификация по соображениям безопасности HTTP сервера.
402 Payment Required	Код состояния ошибки HTTP клиента 402: требуется оплата Этот код состояния ошибки клиента на данный момент пока не используется, он предназначен для платных сервисов, а не для хостингов и интернет-провайдеров.
403 Forbidden	Код состояния ошибки HTTP клиента 403: запрещено Такой код состояния ошибки клиента вы увидите в том случае, когда сервер вас прекрасно понял, но отказывается вам предоставлять доступ к ресурсу из-за того, что у вас недостаточно прав доступа.
404 Not Found	Код состояния ошибки HTTP клиента 404: не найдено Самый популярный код состояния ошибки клиента. Вы его можете увидеть в том случае, когда ошиблись, вводя URL в браузере.
405 Method Not Allowed	Код состояния ошибки HTTP клиента 405: метод не дозволен Данный код состояния ошибки клиента можно увидеть в том случае, когда вы используете метод запроса, запрещенный в настройках HTTP сервера.
406 Not Acceptable	Код состояния ошибки HTTP клиента 406: не приемлем Этот код состояния вы увидите в том случае, когда HTTP сообщение вашего клиента содержит неправильные параметры для указанного в нем URI.
407 Proxy Authentication Required	Код состояния ошибки HTTP клиента 407: требуется установления подлинности через прокси-сервер Если вы видите этот код состояния ошибки клиента, то вам нужно пройти аутентификацию на прокси-сервере.
408 Request Timeout	Код состояния ошибки HTTP клиента 408: истекло время ожидания запроса Этот код состояния ошибки HTTP клиента вы увидите тогда, когда сервер устал ждать от вас сообщение.
409 Conflict	Код состояния ошибки HTTP клиента 409: конфликт Такой код состояния ошибки клиента будет появляться очень редко, когда будет происходить конфликт действий между двумя пользователями.
410 Gone	Код состояния ошибки HTTP клиента 410: удален А этот код состояния ошибки клиента будет показан сервером в том случае, когда ресурс был доступен по указанному URI, но теперь его там нет.
411 Length Required	Код состояния ошибки HTTP клиента 411: требуется длина Этот код состояния ошибки клиента появляется в том случае, когда серверу нужно обязательно указывать поле заголовка Content-Lenght
412 Precondition Failed	Код состояния ошибки HTTP клиента 412: предусловие неверно Сервер вернет HTTP ответ с таким кодом состояния в том случае, когда он не смог выполнить ни одно из условий из запроса клиента.
413 Request Entity Too Large	Код состояния ошибки HTTP клиента 413: объект запроса слишком велик А такой код ошибки клиента можно увидеть в том случае, когда тело (HTTP объекты и тело сообщения) запроса слишком большое и сервер его получить не смог.
414 Request-url Too Long	Код состояния ошибки HTTP клиента 414: URI запроса слишком длинный Такой код ошибки клиента сервер выдаст в том случае, если URI запроса слишком длинный.
415 Unsupported Media Type	Код состояния ошибки HTTP клиента 415: неподдерживаемый медиа тип Сервер может выдать такой код состояния ошибки клиента в том случае, если не захочет работать с указанным типом данных (типы данных в HTTP) тем методом, который указан в запросе клиента
416 Requested Range Not Satisfiable	Код состояния ошибки HTTP клиента 416: запрашиваемый диапазон не достижим Данный код и ошибки клиента говорит нам о том, что диапазон фрагмента (единицы измерения в HTTP) в поле заголовка Range указан неверно.
417 Expectation Failed	Код состояния ошибки HTTP клиента 417: ожидаемое неприемлимо Код состояния ошибки клиента 417 появится в том случае, если сервер не сможет удовлетворить значению, указанному в поле заголовка Expect.

Далее мы рассмотрим более подробно коды ошибок HTTP клиента.

HTTP код ошибки 400, код ошибки 401, код ошибки клиента 402, код ошибки 403, HTTP код ошибки клиента 404, ошибка клиента 405

HTTP код ошибки клиента 400: Bad Request или неверный запрос. Сервер вернет ответ с кодом ошибки 400 в том случае, когда обнаружит, что HTTP запрос клиента содержит синтаксическую ошибку.

HTTP код ошибки клиента 401: Unauthorized или не авторизован. Код ошибки клиента 401 сервер отправляет в том случае, когда для доступа к ресурсу требуется авторизация, при этом ответ HTTP сервера должен (читай про требования HTTP протокола) включать поле заголовка WWW-Authenticate и перечень условий для аутентификации клиента, после чего клиент может повторить запрос к серверу с полем Authorization, в котором будут указаны все необходимые данные для авторизации.

HTTP код ошибки клиента 402: Payment Required или требуется оплата. Данный код ошибки клиента зарезервирован для будущего использования и предназначен для оповещения клиента о том, что для доступа к ресурсу ему необходимо произвести оплату. Обратите внимание: данный код ошибки клиент не используется ни хостингами, ни интернет-магазина, ни даже интернет-провайдерами.

HTTP код ошибки клиента 403: Forbidden или запрещено. HTTP код ошибки клиента 403 отправляется сервером в том случае, когда он отказывается выполнить ваш запрос, причин на то могут быть разными. При этом сервер не должен сообщать является ли эта мера временной или постоянной. Одной из причин появления HTTP кода 403 может быть то, что у пользователя недостаточно прав доступа к ресурсу.

HTTP код ошибки клиента 404: Not Found или не найдено. HTTP код ошибки клиента 404 – самый популярный код ошибки клиента, код ошибки 404 видел, наверное, каждый. Ведь для того, чтобы увидеть код ошибки 404 достаточно ввести неверный URL.

HTTP код ошибки клиента 405: Method Not Allowed или метод не дозволен. Код ошибки 405 сервер отправляет клиенту в том случае, когда для ресурса, указанного в URI, нельзя применить метод, указанный в запросе клиента. Код ошибки 405 появляется в основном из-за конфигураций безопасности сервера, когда администратор преднамеренно запрещает выполнение тех или иных методов HTTP запросов на сервере. При этом ответ сервера с кодом ошибки 405 должен содержать поле заголовка Allow, в котором будут указаны доступные метода для ресурса.

HTTP код ошибки 406, код ошибки 407, HTTP код ошибки клиента 408, код ответа сервера 409, код ошибки 410, код ошибки клиента 411, HTTP код 412

HTTP код ошибки клиента 406: Not Acceptable или не приемлем. Код ошибки 406 говорит клиенту о том, что введенный URI не приемлем с теми характеристиками, которые были указаны в HTTP заголовке (читай про параметры HTTP протокола). Если метод запроса был отличным от метода HEAD, то серверу нужно включить в тело сообщения список доступных характеристик для данного URI. Формат HTTP объекта определяется медиа типом в поле заголовка Content-Length и в зависимости от клиента и его возможностей подходящий вариант запроса может быть выбран автоматически, этот код применяется при обсуждении содержимого в HTTP.

HTTP код ошибки клиента 407: Proxy Authentication Required или требуется установление подлинности через прокси-сервер. HTTP код ошибки клиента 407 появится в том случае, когда клиенту для доступа к указанному ресурсу необходимо авторизоваться на прокси-сервере. Когда возникает код ошибки 407 прокси-сервер должен возвратить поле заголовка Proxy-Authenticate содержащее вызов (challenge), применяемый прокси-сервером для запрошенного ресурса. Код ошибки 407 аналогичен по своему действию с кодом 401.

HTTP код ошибки клиента 408: Request Timeout или истекло время ожидания запроса. Код ошибки 408 возникает в том случае, когда клиент не произвел запрос в течение того времени, которое сервер готов ждать, но клиент может повторить запрос.

HTTP код ошибки клиента 409: Conflict или конфликт. Код ошибки клиента 409 возникает в том случае, когда происходит конфликт между несколькими клиентами при доступе к одному ресурсу. Код ошибки 409 показывается клиенту только в том случае, когда тот может устранить конфликт и повторить свой запрос. HTTP ответ сервера должен предоставить максимум информации для пользователя, чтобы он устранил конфликт, и код 409 больше не появлялся. Чаще всего ошибка 409 появляется при использование метода PUT.

HTTP код ошибки клиента 410: Gone или удален. HTTP код ошибки клиента 410 будет отправлен сервером в том случае, когда ресурс удален и сервер не знает, где искать копию ресурса или его новую версию. В том случае, когда у сервера есть информация о том, что ресурс может быть восстановлен, ему не следует показывать ошибку 410, а лучше показать код ошибки 404.

HTTP код ошибки клиента 411: Length Required или требуется длина. Код ошибки 411 будет показан клиенту в том случае, когда серверу для корректной обработки запроса требуется длина содержимого. Клиент может повторить запрос, если добавит допустимое поле заголовка Content-Length, содержащее длину тела сообщения (message-body) в сообщении запроса.

HTTP код ошибки клиента 412: Precondition Failed или предусловие неверно. Код ошибки 412 будет выслан клиенту сервером в том случае, когда сервер не может выполнить условия, указанные в заголовке HTTP запроса.

HTTP код ошибки клиента 413, код ошибки клиента 414, ошибка клиента 415, ошибка 416, HTTP код 417

HTTP код ошибки клиента 413: Request Entity Too Large или объект запроса слишком большой. Код ошибки 413 появляется в том случае, когда объект, передаваемый в запросе клиента слишком большой и сервер его не может обработать. Сервер может закрыть соединение (здесь написано про HTTP соединения), чтобы не дать клиенту возможность продолжить запрос. Если такая ситуация временная, то сервер в своем сообщении вместе кодом ошибки 413 передает поле заголовка Retry-After, в котором указывает время, через которое запрос может быть повторен.

HTTP код ошибки клиента 414: Request-URI Too Long или запроса слишком длинный. Сервер отправляет сообщение с кодом ошибки 414 в том случае, когда URI, указанный в запросе слишком длинный. Ошибка 414 обычно возникает тогда, когда клиент пытается передать кучу параметров методом GET, а следовало бы использовать метод POST.

HTTP код ошибки клиента 415: Unsupported Media Type или неподдерживаемый медиа тип. Код ошибки 415 сервер отправляет в том случае, когда он отказывается обслуживать запрос из-за некорректного типа данных для ресурса, который указан в URI: когда метод выбранный в запросе не соответствует типу данных ресурса.

HTTP код ошибки клиента 416: Requested Range Not Satisfiable или запрашиваемый диапазон не достижим. Сервер отправит сообщение с кодом ошибки 416 в том случае, когда в поле заголовка запроса Range был указан неверный диапазон фрагмента.

HTTP код ошибки клиента 417: Expectation Failed или ожидаемое неприемлемо. Код ошибки 417 появляется в том случае, когда сервер не может удовлетворить значению Expect, которое указано в заголовке HTTP запроса.

Мы рассмотрели коды ошибок HTTP клиента, давайте перейдем к последнему классу кодов состояния — HTTP коды ошибок серевра. Позволю себе напомнить, что в HTTP еще есть информационные коды состояния, успешные коды состояния и коды перенаправления. А если тебе нужна информацию обо всех кодах состояния, обратись к справочнику HTTP кодов состояния, в котором есть полное описание всех кодов.

Не забывайте делиться своим мнением в комментариях и оставлять отзывы, это поможет сделать нашу работу лучше, с уважением ZametkiNaPolyah.ru!

Источник

From Wikipedia, the free encyclopedia

This is a list of Hypertext Transfer Protocol (HTTP) response status codes. Status codes are issued by a server in response to a client’s request made to the server. It includes codes from IETF Request for Comments (RFCs), other specifications, and some additional codes used in some common applications of the HTTP. The first digit of the status code specifies one of five standard classes of responses. The optional message phrases shown are typical, but any human-readable alternative may be provided, or none at all.

Unless otherwise stated, the status code is part of the HTTP standard (RFC 9110).

The Internet Assigned Numbers Authority (IANA) maintains the official registry of HTTP status codes.^[1]

All HTTP response status codes are separated into five classes or categories. The first digit of the status code defines the class of response, while the last two digits do not have any classifying or categorization role. There are five classes defined by the standard:

1xx informational response – the request was received, continuing process
2xx successful – the request was successfully received, understood, and accepted
3xx redirection – further action needs to be taken in order to complete the request
4xx client error – the request contains bad syntax or cannot be fulfilled
5xx server error – the server failed to fulfil an apparently valid request

1xx informational response

An informational response indicates that the request was received and understood. It is issued on a provisional basis while request processing continues. It alerts the client to wait for a final response. The message consists only of the status line and optional header fields, and is terminated by an empty line. As the HTTP/1.0 standard did not define any 1xx status codes, servers must not^{[note 1]} send a 1xx response to an HTTP/1.0 compliant client except under experimental conditions.

100 Continue: The server has received the request headers and the client should proceed to send the request body (in the case of a request for which a body needs to be sent; for example, a POST request). Sending a large request body to a server after a request has been rejected for inappropriate headers would be inefficient. To have a server check the request’s headers, a client must send Expect: 100-continue as a header in its initial request and receive a 100 Continue status code in response before sending the body. If the client receives an error code such as 403 (Forbidden) or 405 (Method Not Allowed) then it should not send the request’s body. The response 417 Expectation Failed indicates that the request should be repeated without the Expect header as it indicates that the server does not support expectations (this is the case, for example, of HTTP/1.0 servers).^[2]
101 Switching Protocols: The requester has asked the server to switch protocols and the server has agreed to do so.
102 Processing (WebDAV; RFC 2518): A WebDAV request may contain many sub-requests involving file operations, requiring a long time to complete the request. This code indicates that the server has received and is processing the request, but no response is available yet.^[3] This prevents the client from timing out and assuming the request was lost. The status code is deprecated.^[4]
103 Early Hints (RFC 8297): Used to return some response headers before final HTTP message.^[5]

2xx success

This class of status codes indicates the action requested by the client was received, understood, and accepted.^[1]

200 OK: Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request, the response will contain an entity describing or containing the result of the action.
201 Created: The request has been fulfilled, resulting in the creation of a new resource.^[6]
202 Accepted: The request has been accepted for processing, but the processing has not been completed. The request might or might not be eventually acted upon, and may be disallowed when processing occurs.
203 Non-Authoritative Information (since HTTP/1.1): The server is a transforming proxy (e.g. a Web accelerator) that received a 200 OK from its origin, but is returning a modified version of the origin’s response.^[7]^[8]
204 No Content: The server successfully processed the request, and is not returning any content.
205 Reset Content: The server successfully processed the request, asks that the requester reset its document view, and is not returning any content.
206 Partial Content: The server is delivering only part of the resource (byte serving) due to a range header sent by the client. The range header is used by HTTP clients to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.
207 Multi-Status (WebDAV; RFC 4918): The message body that follows is by default an XML message and can contain a number of separate response codes, depending on how many sub-requests were made.^[9]
208 Already Reported (WebDAV; RFC 5842): The members of a DAV binding have already been enumerated in a preceding part of the (multistatus) response, and are not being included again.
226 IM Used (RFC 3229): The server has fulfilled a request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.^[10]

3xx redirection

This class of status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection.^[1]

A user agent may carry out the additional action with no user interaction only if the method used in the second request is GET or HEAD. A user agent may automatically redirect a request. A user agent should detect and intervene to prevent cyclical redirects.^[11]

300 Multiple Choices: Indicates multiple options for the resource from which the client may choose (via agent-driven content negotiation). For example, this code could be used to present multiple video format options, to list files with different filename extensions, or to suggest word-sense disambiguation.
301 Moved Permanently: This and all future requests should be directed to the given URI.
302 Found (Previously «Moved temporarily»): Tells the client to look at (browse to) another URL. The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect with the same method (the original describing phrase was «Moved Temporarily»),^[12] but popular browsers implemented 302 redirects by changing the method to GET. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours.^[11]
303 See Other (since HTTP/1.1): The response to the request can be found under another URI using the GET method. When received in response to a POST (or PUT/DELETE), the client should presume that the server has received the data and should issue a new GET request to the given URI.
304 Not Modified: Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match. In such case, there is no need to retransmit the resource since the client still has a previously-downloaded copy.
305 Use Proxy (since HTTP/1.1): The requested resource is available only through a proxy, the address for which is provided in the response. For security reasons, many HTTP clients (such as Mozilla Firefox and Internet Explorer) do not obey this status code.
306 Switch Proxy: No longer used. Originally meant «Subsequent requests should use the specified proxy.»
307 Temporary Redirect (since HTTP/1.1): In this case, the request should be repeated with another URI; however, future requests should still use the original URI. In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request. For example, a POST request should be repeated using another POST request.
308 Permanent Redirect: This and all future requests should be directed to the given URI. 308 parallel the behaviour of 301, but does not allow the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly.

4xx client errors

404 error on Wikimedia

This class of status code is intended for situations in which the error seems to have been caused by the client. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method. User agents should display any included entity to the user.

400 Bad Request: The server cannot or will not process the request due to an apparent client error (e.g., malformed request syntax, size too large, invalid request message framing, or deceptive request routing).
401 Unauthorized: Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication. 401 semantically means «unauthorised», the user does not have valid authentication credentials for the target resource.; Some sites incorrectly issue HTTP 401 when an IP address is banned from the website (usually the website domain) and that specific address is refused permission to access a website.^{[citation needed]}
402 Payment Required: Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, as proposed, for example, by GNU Taler,^[14] but that has not yet happened, and this code is not widely used. Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.^[15] Sipgate uses this code if an account does not have sufficient funds to start a call.^[16] Shopify uses this code when the store has not paid their fees and is temporarily disabled.^[17] Stripe uses this code for failed payments where parameters were correct, for example blocked fraudulent payments.^[18]
403 Forbidden: The request contained valid data and was understood by the server, but the server is refusing action. This may be due to the user not having the necessary permissions for a resource or needing an account of some sort, or attempting a prohibited action (e.g. creating a duplicate record where only one is allowed). This code is also typically used if the request provided authentication by answering the WWW-Authenticate header field challenge, but the server did not accept that authentication. The request should not be repeated.
404 Not Found: The requested resource could not be found but may be available in the future. Subsequent requests by the client are permissible.
405 Method Not Allowed: A request method is not supported for the requested resource; for example, a GET request on a form that requires data to be presented via POST, or a PUT request on a read-only resource.
406 Not Acceptable: The requested resource is capable of generating only content not acceptable according to the Accept headers sent in the request. See Content negotiation.
407 Proxy Authentication Required: The client must first authenticate itself with the proxy.
408 Request Timeout: The server timed out waiting for the request. According to HTTP specifications: «The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time.»
409 Conflict: Indicates that the request could not be processed because of conflict in the current state of the resource, such as an edit conflict between multiple simultaneous updates.
410 Gone: Indicates that the resource requested was previously in use but is no longer available and will not be available again. This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a «404 Not Found» may be used instead.
411 Length Required: The request did not specify the length of its content, which is required by the requested resource.
412 Precondition Failed: The server does not meet one of the preconditions that the requester put on the request header fields.
413 Payload Too Large: The request is larger than the server is willing or able to process. Previously called «Request Entity Too Large» in RFC 2616.^[19]
414 URI Too Long: The URI provided was too long for the server to process. Often the result of too much data being encoded as a query-string of a GET request, in which case it should be converted to a POST request. Called «Request-URI Too Long» previously in RFC 2616.^[20]
415 Unsupported Media Type: The request entity has a media type which the server or resource does not support. For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
416 Range Not Satisfiable: The client has asked for a portion of the file (byte serving), but the server cannot supply that portion. For example, if the client asked for a part of the file that lies beyond the end of the file. Called «Requested Range Not Satisfiable» previously RFC 2616.^[21]
417 Expectation Failed: The server cannot meet the requirements of the Expect request-header field.^[22]
418 I’m a teapot (RFC 2324, RFC 7168): This code was defined in 1998 as one of the traditional IETF April Fools’ jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol, and is not expected to be implemented by actual HTTP servers. The RFC specifies this code should be returned by teapots requested to brew coffee.^[23] This HTTP status is used as an Easter egg in some websites, such as Google.com’s «I’m a teapot» easter egg.^[24]^[25]^[26] Sometimes, this status code is also used as a response to a blocked request, instead of the more appropriate 403 Forbidden.^[27]^[28]
421 Misdirected Request: The request was directed at a server that is not able to produce a response (for example because of connection reuse).
422 Unprocessable Entity: The request was well-formed but was unable to be followed due to semantic errors.^[9]
423 Locked (WebDAV; RFC 4918): The resource that is being accessed is locked.^[9]
424 Failed Dependency (WebDAV; RFC 4918): The request failed because it depended on another request and that request failed (e.g., a PROPPATCH).^[9]
425 Too Early (RFC 8470): Indicates that the server is unwilling to risk processing a request that might be replayed.
426 Upgrade Required: The client should switch to a different protocol such as TLS/1.3, given in the Upgrade header field.
428 Precondition Required (RFC 6585): The origin server requires the request to be conditional. Intended to prevent the ‘lost update’ problem, where a client GETs a resource’s state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict.^[29]
429 Too Many Requests (RFC 6585): The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.^[29]
431 Request Header Fields Too Large (RFC 6585): The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large.^[29]
451 Unavailable For Legal Reasons (RFC 7725): A server operator has received a legal demand to deny access to a resource or to a set of resources that includes the requested resource.^[30] The code 451 was chosen as a reference to the novel Fahrenheit 451 (see the Acknowledgements in the RFC).

5xx server errors

The server failed to fulfil a request.

Response status codes beginning with the digit «5» indicate cases in which the server is aware that it has encountered an error or is otherwise incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and indicate whether it is a temporary or permanent condition. Likewise, user agents should display any included entity to the user. These response codes are applicable to any request method.

500 Internal Server Error: A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.
501 Not Implemented: The server either does not recognize the request method, or it lacks the ability to fulfil the request. Usually this implies future availability (e.g., a new feature of a web-service API).
502 Bad Gateway: The server was acting as a gateway or proxy and received an invalid response from the upstream server.
503 Service Unavailable: The server cannot handle the request (because it is overloaded or down for maintenance). Generally, this is a temporary state.^[31]
504 Gateway Timeout: The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.
505 HTTP Version Not Supported: The server does not support the HTTP version used in the request.
506 Variant Also Negotiates (RFC 2295): Transparent content negotiation for the request results in a circular reference.^[32]
507 Insufficient Storage (WebDAV; RFC 4918): The server is unable to store the representation needed to complete the request.^[9]
508 Loop Detected (WebDAV; RFC 5842): The server detected an infinite loop while processing the request (sent instead of 208 Already Reported).
510 Not Extended (RFC 2774): Further extensions to the request are required for the server to fulfil it.^[33]
511 Network Authentication Required (RFC 6585): The client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g., «captive portals» used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).^[29]

Unofficial codes

The following codes are not specified by any standard.

218 This is fine (Apache HTTP Server): Used by Apache servers. A catch-all error condition allowing the passage of message bodies through the server when the ProxyErrorOverride setting is enabled. It is displayed in this situation instead of a 4xx or 5xx error message.^[34]
419 Page Expired (Laravel Framework): Used by the Laravel Framework when a CSRF Token is missing or expired.^{[citation needed]}
420 Method Failure (Spring Framework): A deprecated response used by the Spring Framework when a method has failed.^[35]
420 Enhance Your Calm (Twitter): Returned by version 1 of the Twitter Search and Trends API when the client is being rate limited; versions 1.1 and later use the 429 Too Many Requests response code instead.^[36] The phrase «Enhance your calm» comes from the 1993 movie Demolition Man, and its association with this number is likely a reference to cannabis.^{[citation needed]}
430 Request Header Fields Too Large (Shopify): Used by Shopify, instead of the 429 Too Many Requests response code, when too many URLs are requested within a certain time frame.^[37]
450 Blocked by Windows Parental Controls (Microsoft): The Microsoft extension code indicated when Windows Parental Controls are turned on and are blocking access to the requested webpage.^[38]
498 Invalid Token (Esri): Returned by ArcGIS for Server. Code 498 indicates an expired or otherwise invalid token.^[39]
499 Token Required (Esri): Returned by ArcGIS for Server. Code 499 indicates that a token is required but was not submitted.^[39]
509 Bandwidth Limit Exceeded (Apache Web Server/cPanel): The server has exceeded the bandwidth specified by the server administrator; this is often used by shared hosting providers to limit the bandwidth of customers.^[40]
529 Site is overloaded: Used by Qualys in the SSLLabs server testing API to signal that the site can’t process the request.^[41]
530 Site is frozen: Used by the Pantheon Systems web platform to indicate a site that has been frozen due to inactivity.^[42]
598 (Informal convention) Network read timeout error: Used by some HTTP proxies to signal a network read timeout behind the proxy to a client in front of the proxy.^[43]
599 Network Connect Timeout Error: An error used by some HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.

Internet Information Services

Microsoft’s Internet Information Services (IIS) web server expands the 4xx error space to signal errors with the client’s request.

440 Login Time-out: The client’s session has expired and must log in again.^[44]
449 Retry With: The server cannot honour the request because the user has not provided the required information.^[45]
451 Redirect: Used in Exchange ActiveSync when either a more efficient server is available or the server cannot access the users’ mailbox.^[46] The client is expected to re-run the HTTP AutoDiscover operation to find a more appropriate server.^[47]

IIS sometimes uses additional decimal sub-codes for more specific information,^[48] however these sub-codes only appear in the response payload and in documentation, not in the place of an actual HTTP status code.

nginx

The nginx web server software expands the 4xx error space to signal issues with the client’s request.^[49]^[50]

444 No Response: Used internally^[51] to instruct the server to return no information to the client and close the connection immediately.
494 Request header too large: Client sent too large request or too long header line.
495 SSL Certificate Error: An expansion of the 400 Bad Request response code, used when the client has provided an invalid client certificate.
496 SSL Certificate Required: An expansion of the 400 Bad Request response code, used when a client certificate is required but not provided.
497 HTTP Request Sent to HTTPS Port: An expansion of the 400 Bad Request response code, used when the client has made a HTTP request to a port listening for HTTPS requests.
499 Client Closed Request: Used when the client has closed the request before the server could send a response.

Cloudflare

Cloudflare’s reverse proxy service expands the 5xx series of errors space to signal issues with the origin server.^[52]

520 Web Server Returned an Unknown Error: The origin server returned an empty, unknown, or unexpected response to Cloudflare.^[53]
521 Web Server Is Down: The origin server refused connections from Cloudflare. Security solutions at the origin may be blocking legitimate connections from certain Cloudflare IP addresses.
522 Connection Timed Out: Cloudflare timed out contacting the origin server.
523 Origin Is Unreachable: Cloudflare could not reach the origin server; for example, if the DNS records for the origin server are incorrect or missing.
524 A Timeout Occurred: Cloudflare was able to complete a TCP connection to the origin server, but did not receive a timely HTTP response.
525 SSL Handshake Failed: Cloudflare could not negotiate a SSL/TLS handshake with the origin server.
526 Invalid SSL Certificate: Cloudflare could not validate the SSL certificate on the origin web server. Also used by Cloud Foundry’s gorouter.
527 Railgun Error: Error 527 indicates an interrupted connection between Cloudflare and the origin server’s Railgun server.^[54]
530: Error 530 is returned along with a 1xxx error.^[55]

AWS Elastic Load Balancing

Amazon Web Services’ Elastic Load Balancing adds a few custom return codes to signal issues either with the client request or with the origin server.^[56]

460: Client closed the connection with the load balancer before the idle timeout period elapsed. Typically when client timeout is sooner than the Elastic Load Balancer’s timeout.^[56]
463: The load balancer received an X-Forwarded-For request header with more than 30 IP addresses.^[56]
464: Incompatible protocol versions between Client and Origin server.^[56]
561 Unauthorized: An error around authentication returned by a server registered with a load balancer. You configured a listener rule to authenticate users, but the identity provider (IdP) returned an error code when authenticating the user.^[56]

Caching warning codes (obsoleted)

The following caching related warning codes were specified under RFC 7234. Unlike the other status codes above, these were not sent as the response status in the HTTP protocol, but as part of the «Warning» HTTP header.^[57]^[58]

Since this «Warning» header is often neither sent by servers nor acknowledged by clients, this header and its codes were obsoleted by the HTTP Working Group in 2022 with RFC 9111.^[59]

110 Response is Stale: The response provided by a cache is stale (the content’s age exceeds a maximum age set by a Cache-Control header or heuristically chosen lifetime).
111 Revalidation Failed: The cache was unable to validate the response, due to an inability to reach the origin server.
112 Disconnected Operation: The cache is intentionally disconnected from the rest of the network.
113 Heuristic Expiration: The cache heuristically chose a freshness lifetime greater than 24 hours and the response’s age is greater than 24 hours.
199 Miscellaneous Warning: Arbitrary, non-specific warning. The warning text may be logged or presented to the user.
214 Transformation Applied: Added by a proxy if it applies any transformation to the representation, such as changing the content encoding, media type or the like.
299 Miscellaneous Persistent Warning: Same as 199, but indicating a persistent warning.

Explanatory notes

^ Emphasised words and phrases such as must and should represent interpretation guidelines as given by RFC 2119

References

^ ^a ^b ^c «Hypertext Transfer Protocol (HTTP) Status Code Registry». Iana.org. Archived from the original on December 11, 2011. Retrieved January 8, 2015.
^ Fielding, Roy T. «RFC 9110: HTTP Semantics and Content, Section 10.1.1 «Expect»«.
^ Goland, Yaronn; Whitehead, Jim; Faizi, Asad; Carter, Steve R.; Jensen, Del (February 1999). HTTP Extensions for Distributed Authoring – WEBDAV. IETF. doi:10.17487/RFC2518. RFC 2518. Retrieved October 24, 2009.
^ «102 Processing — HTTP MDN». 102 status code is deprecated
^ Oku, Kazuho (December 2017). An HTTP Status Code for Indicating Hints. IETF. doi:10.17487/RFC8297. RFC 8297. Retrieved December 20, 2017.
^ Stewart, Mark; djna. «Create request with POST, which response codes 200 or 201 and content». Stack Overflow. Archived from the original on October 11, 2016. Retrieved October 16, 2015.
^ «RFC 9110: HTTP Semantics and Content, Section 15.3.4».
^ «RFC 9110: HTTP Semantics and Content, Section 7.7».
^ ^a ^b ^c ^d ^e Dusseault, Lisa, ed. (June 2007). HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV). IETF. doi:10.17487/RFC4918. RFC 4918. Retrieved October 24, 2009.
^ Delta encoding in HTTP. IETF. January 2002. doi:10.17487/RFC3229. RFC 3229. Retrieved February 25, 2011.
^ ^a ^b «RFC 9110: HTTP Semantics and Content, Section 15.4 «Redirection 3xx»«.
^ Berners-Lee, Tim; Fielding, Roy T.; Nielsen, Henrik Frystyk (May 1996). Hypertext Transfer Protocol – HTTP/1.0. IETF. doi:10.17487/RFC1945. RFC 1945. Retrieved October 24, 2009.
^ «The GNU Taler tutorial for PHP Web shop developers 0.4.0». docs.taler.net. Archived from the original on November 8, 2017. Retrieved October 29, 2017.
^ «Google API Standard Error Responses». 2016. Archived from the original on May 25, 2017. Retrieved June 21, 2017.
^ «Sipgate API Documentation». Archived from the original on July 10, 2018. Retrieved July 10, 2018.
^ «Shopify Documentation». Archived from the original on July 25, 2018. Retrieved July 25, 2018.
^ «Stripe API Reference – Errors». stripe.com. Retrieved October 28, 2019.
^ «RFC2616 on status 413». Tools.ietf.org. Archived from the original on March 7, 2011. Retrieved November 11, 2015.
^ «RFC2616 on status 414». Tools.ietf.org. Archived from the original on March 7, 2011. Retrieved November 11, 2015.
^ «RFC2616 on status 416». Tools.ietf.org. Archived from the original on March 7, 2011. Retrieved November 11, 2015.
^ TheDeadLike. «HTTP/1.1 Status Codes 400 and 417, cannot choose which». serverFault. Archived from the original on October 10, 2015. Retrieved October 16, 2015.
^ Larry Masinter (April 1, 1998). Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0). doi:10.17487/RFC2324. RFC 2324. Any attempt to brew coffee with a teapot should result in the error code «418 I’m a teapot». The resulting entity body MAY be short and stout.
^ I’m a teapot
^ Barry Schwartz (August 26, 2014). «New Google Easter Egg For SEO Geeks: Server Status 418, I’m A Teapot». Search Engine Land. Archived from the original on November 15, 2015. Retrieved November 4, 2015.
^ «Google’s Teapot». Retrieved October 23, 2017.^{[dead link]}
^ «Enable extra web security on a website». DreamHost. Retrieved December 18, 2022.
^ «I Went to a Russian Website and All I Got Was This Lousy Teapot». PCMag. Retrieved December 18, 2022.
^ ^a ^b ^c ^d Nottingham, M.; Fielding, R. (April 2012). «RFC 6585 – Additional HTTP Status Codes». Request for Comments. Internet Engineering Task Force. Archived from the original on May 4, 2012. Retrieved May 1, 2012.
^ Bray, T. (February 2016). «An HTTP Status Code to Report Legal Obstacles». ietf.org. Archived from the original on March 4, 2016. Retrieved March 7, 2015.
^ alex. «What is the correct HTTP status code to send when a site is down for maintenance?». Stack Overflow. Archived from the original on October 11, 2016. Retrieved October 16, 2015.
^ Holtman, Koen; Mutz, Andrew H. (March 1998). Transparent Content Negotiation in HTTP. IETF. doi:10.17487/RFC2295. RFC 2295. Retrieved October 24, 2009.
^ Nielsen, Henrik Frystyk; Leach, Paul; Lawrence, Scott (February 2000). An HTTP Extension Framework. IETF. doi:10.17487/RFC2774. RFC 2774. Retrieved October 24, 2009.
^ «218 This is fine — HTTP status code explained». HTTP.dev. Retrieved July 25, 2023.{{cite web}}: CS1 maint: url-status (link)
^ «Enum HttpStatus». Spring Framework. org.springframework.http. Archived from the original on October 25, 2015. Retrieved October 16, 2015.
^ «Twitter Error Codes & Responses». Twitter. 2014. Archived from the original on September 27, 2017. Retrieved January 20, 2014.
^ «HTTP Status Codes and SEO: what you need to know». ContentKing. Retrieved August 9, 2019.
^ «Screenshot of error page». Archived from the original (bmp) on May 11, 2013. Retrieved October 11, 2009.
^ ^a ^b «Using token-based authentication». ArcGIS Server SOAP SDK. Archived from the original on September 26, 2014. Retrieved September 8, 2014.
^ «HTTP Error Codes and Quick Fixes». Docs.cpanel.net. Archived from the original on November 23, 2015. Retrieved October 15, 2015.
^ «SSL Labs API v3 Documentation». github.com.
^ «Platform Considerations | Pantheon Docs». pantheon.io. Archived from the original on January 6, 2017. Retrieved January 5, 2017.
^ «HTTP status codes — ascii-code.com». www.ascii-code.com. Archived from the original on January 7, 2017. Retrieved December 23, 2016.
^
«Error message when you try to log on to Exchange 2007 by using Outlook Web Access: «440 Login Time-out»«. Microsoft. 2010. Retrieved November 13, 2013.
^ «2.2.6 449 Retry With Status Code». Microsoft. 2009. Archived from the original on October 5, 2009. Retrieved October 26, 2009.
^ «MS-ASCMD, Section 3.1.5.2.2». Msdn.microsoft.com. Archived from the original on March 26, 2015. Retrieved January 8, 2015.
^ «Ms-oxdisco». Msdn.microsoft.com. Archived from the original on July 31, 2014. Retrieved January 8, 2015.
^ «The HTTP status codes in IIS 7.0». Microsoft. July 14, 2009. Archived from the original on April 9, 2009. Retrieved April 1, 2009.
^ «ngx_http_request.h». nginx 1.9.5 source code. nginx inc. Archived from the original on September 19, 2017. Retrieved January 9, 2016.
^ «ngx_http_special_response.c». nginx 1.9.5 source code. nginx inc. Archived from the original on May 8, 2018. Retrieved January 9, 2016.
^ «return» directive Archived March 1, 2018, at the Wayback Machine (http_rewrite module) documentation.
^ «Troubleshooting: Error Pages». Cloudflare. Archived from the original on March 4, 2016. Retrieved January 9, 2016.
^ «Error 520: web server returns an unknown error». Cloudflare.
^ «527 Error: Railgun Listener to origin error». Cloudflare. Archived from the original on October 13, 2016. Retrieved October 12, 2016.
^ «Error 530». Cloudflare. Retrieved November 1, 2019.
^ ^a ^b ^c ^d ^e «Troubleshoot Your Application Load Balancers – Elastic Load Balancing». docs.aws.amazon.com. Retrieved May 17, 2023.
^ «Hypertext Transfer Protocol (HTTP/1.1): Caching». datatracker.ietf.org. Retrieved September 25, 2021.
^ «Warning — HTTP | MDN». developer.mozilla.org. Retrieved August 15, 2021. Some text was copied from this source, which is available under a Creative Commons Attribution-ShareAlike 2.5 Generic (CC BY-SA 2.5) license.
^ «RFC 9111: HTTP Caching, Section 5.5 «Warning»«. June 2022.

External links

«RFC 9110: HTTP Semantics and Content, Section 15 «Status Codes»«.
Hypertext Transfer Protocol (HTTP) Status Code Registry at the Internet Assigned Numbers Authority
HTTP status codes at http-statuscode.com
MDN status code reference at mozilla.org

Источник

A clear explanation from Daniel Irvine ^{[original link]}:

There’s a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.
Receiving a 401 response is the server telling you, “you aren’t
authenticated–either not authenticated at all or authenticated
incorrectly–but please reauthenticate and try again.” To help you out,
it will always include a WWW-Authenticate header that describes how
to authenticate.

This is a response generally returned by your web server, not your web
application.

It’s also something very temporary; the server is asking you to try
again.

So, for authorization I use the 403 Forbidden response. It’s
permanent, it’s tied to my application logic, and it’s a more concrete
response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know
who you are–I believe who you say you are–but you just don’t have
permission to access this resource. Maybe if you ask the system
administrator nicely, you’ll get permission. But please don’t bother
me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing
or bad authentication, and a 403 Forbidden response should be used
afterwards, when the user is authenticated but isn’t authorized to
perform the requested operation on the given resource.

Another nice pictorial format of how http status codes should be used.

Nick T

25.8k12 gold badges83 silver badges121 bronze badges

answered Aug 4, 2011 at 6:24

Edit: RFC2616 is obsolete, see RFC9110.

401 Unauthorized:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

403 Forbidden:

The server understood the request, but is refusing to fulfill it.

From your use case, it appears that the user is not authenticated. I would return 401.

emery

8,67310 gold badges44 silver badges51 bronze badges

answered Jul 21, 2010 at 7:28

OdedOded

490k99 gold badges884 silver badges1010 bronze badges

Something the other answers are missing is that it must be understood that Authentication and Authorization in the context of RFC 2616 refers ONLY to the HTTP Authentication protocol of RFC 2617. Authentication by schemes outside of RFC2617 is not supported in HTTP status codes and are not considered when deciding whether to use 401 or 403.

Brief and Terse

Unauthorized indicates that the client is not RFC2617 authenticated and the server is initiating the authentication process. Forbidden indicates either that the client is RFC2617 authenticated and does not have authorization or that the server does not support RFC2617 for the requested resource.

Meaning if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used.

Detailed and In-Depth

From RFC2616

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8).

and

10.4.4 403 Forbidden
The server understood the request but is refusing to fulfil it. Authorization will not help and the request SHOULD NOT be repeated.

The first thing to keep in mind is that «Authentication» and «Authorization» in the context of this document refer specifically to the HTTP Authentication protocols from RFC 2617. They do not refer to any roll-your-own authentication protocols you may have created using login pages, etc. I will use «login» to refer to authentication and authorization by methods other than RFC2617

So the real difference is not what the problem is or even if there is a solution. The difference is what the server expects the client to do next.

401 indicates that the resource can not be provided, but the server is REQUESTING that the client log in through HTTP Authentication and has sent reply headers to initiate the process. Possibly there are authorizations that will permit access to the resource, possibly there are not, but let’s give it a try and see what happens.

403 indicates that the resource can not be provided and there is, for the current user, no way to solve this through RFC2617 and no point in trying. This may be because it is known that no level of authentication is sufficient (for instance because of an IP blacklist), but it may be because the user is already authenticated and does not have authority. The RFC2617 model is one-user, one-credentials so the case where the user may have a second set of credentials that could be authorized may be ignored. It neither suggests nor implies that some sort of login page or other non-RFC2617 authentication protocol may or may not help — that is outside the RFC2616 standards and definition.

Edit: RFC2616 is obsolete, see RFC7231 and RFC7235.

answered Feb 5, 2013 at 17:14

ldrutldrut

3,8171 gold badge17 silver badges4 bronze badges

  +-----------------------
  | RESOURCE EXISTS ? (if private it is often checked AFTER auth check)
  +-----------------------
    |       |
 NO |       v YES
    v      +-----------------------
   404     | IS LOGGED-IN ? (authenticated, aka user session)
   or      +-----------------------
   401        |              |
   403     NO |              | YES
   3xx        v              v
              401            +-----------------------
       (404 no reveal)       | CAN ACCESS RESOURCE ? (permission, authorized, ...)
              or             +-----------------------
             redirect          |            |
             to login       NO |            | YES
                               |            |
                               v            v
                               403          OK 200, redirect, ...
                      (or 404: no reveal)
                      (or 404: resource does not exist if private)
                      (or 3xx: redirection)

Checks are usually done in this order:

404 if resource is public and does not exist or 3xx redirection
OTHERWISE:
401 if not logged-in or session expired
403 if user does not have permission to access resource (file, json, …)
404 if resource does not exist or not willing to reveal anything, or 3xx redirection

UNAUTHORIZED: Status code (401) indicating that the request requires authentication, usually this means user needs to be logged-in (session). User/agent unknown by the server. Can repeat with other credentials. NOTE: This is confusing as this should have been named ‘unauthenticated’ instead of ‘unauthorized’. This can also happen after login if session expired.
Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource (credits @gingerCodeNinja)

FORBIDDEN: Status code (403) indicating the server understood the request but refused to fulfill it. User/agent known by the server but has insufficient credentials. Repeating request will not work, unless credentials changed, which is very unlikely in a short time span.
Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource (credits @gingerCodeNinja) in the case that revealing the presence of the resource exposes sensitive data or gives an attacker useful information.

NOT FOUND: Status code (404) indicating that the requested resource is not available. User/agent known but server will not reveal anything about the resource, does as if it does not exist. Repeating will not work. This is a special use of 404 (github does it for example).

As mentioned by @ChrisH there are a few options for redirection 3xx (301, 302, 303, 307 or not redirecting at all and using a 401):

Difference between HTTP redirect codes
How long do browsers cache HTTP 301s?
What is correct HTTP status code when redirecting to a login page?
What’s the difference between a 302 and a 307 redirect?

answered Feb 23, 2015 at 11:00

According to RFC 2616 (HTTP/1.1) 403 is sent when:

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead

In other words, if the client CAN get access to the resource by authenticating, 401 should be sent.

answered Jul 21, 2010 at 7:26

CumbayahCumbayah

4,4251 gold badge25 silver badges32 bronze badges

Assuming HTTP authentication (WWW-Authenticate and Authorization headers) is in use, if authenticating as another user would grant access to the requested resource, then 401 Unauthorized should be returned.

403 Forbidden is used when access to the resource is forbidden to everyone or restricted to a given network or allowed only over SSL, whatever as long as it is no related to HTTP authentication.

If HTTP authentication is not in use and the service has a cookie-based authentication scheme as is the norm nowadays, then a 403 or a 404 should be returned.

Regarding 401, this is from RFC 7235 (Hypertext Transfer Protocol (HTTP/1.1): Authentication):

3.1. 401 Unauthorized

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The origin server MUST send a WWW-Authenticate header field (Section 4.4) containing at least one challenge applicable to the target resource. If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The client MAY repeat the request with a new or replaced Authorization header field (Section 4.1). If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user agent SHOULD present the enclosed representation to the user, since it usually contains relevant diagnostic information.

The semantics of 403 (and 404) have changed over time. This is from 1999 (RFC 2616):

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

In 2014 RFC 7231 (Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content) changed the meaning of 403:

6.5.3. 403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

An origin server that wishes to «hide» the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

Thus, a 403 (or a 404) might now mean about anything. Providing new credentials might help… or it might not.

I believe the reason why this has changed is RFC 2616 assumed HTTP authentication would be used when in practice today’s Web apps build custom authentication schemes using for example forms and cookies.

answered Feb 27, 2013 at 9:44

401 Unauthorized: I don’t know who you are. This an authentication error.
403 Forbidden: I know who you are, but you don’t have permission to access this resource. This is an authorization error.

Premraj

72.3k27 gold badges237 silver badges180 bronze badges

answered Aug 6, 2019 at 12:37

This is an older question, but one option that was never really brought up was to return a 404. From a security perspective, the highest voted answer suffers from a potential information leakage vulnerability. Say, for instance, that the secure web page in question is a system admin page, or perhaps more commonly, is a record in a system that the user doesn’t have access to. Ideally you wouldn’t want a malicious user to even know that there’s a page / record there, let alone that they don’t have access. When I’m building something like this, I’ll try to record unauthenticate / unauthorized requests in an internal log, but return a 404.

OWASP has some more information about how an attacker could use this type of information as part of an attack.

answered Dec 25, 2014 at 9:09

This question was asked some time ago, but people’s thinking moves on.

Section 6.5.3 in this draft (authored by Fielding and Reschke) gives status code 403 a slightly different meaning to the one documented in RFC 2616.

It reflects what happens in authentication & authorization schemes employed by a number of popular web-servers and frameworks.

I’ve emphasized the bit I think is most salient.

6.5.3. 403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

An origin server that wishes to «hide» the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

Whatever convention you use, the important thing is to provide uniformity across your site / API.

answered May 22, 2014 at 10:54

Dave WattsDave Watts

8907 silver badges11 bronze badges

These are the meanings:

401: User not (correctly) authenticated, the resource/page require authentication

403: User’s role or permissions does not allow to access requested resource, for instance user is not an administrator and requested page is for administrators.

Note: Technically, 403 is a superset of 401, since is legal to give 403 for unauthenticated user too. Anyway is more meaningful to differentiate.

answered Nov 19, 2019 at 10:17

Luca C.Luca C.

11.7k1 gold badge86 silver badges77 bronze badges

!!! DEPR: The answer reflects what used to be common practice, up until 2014 !!!

TL;DR

401: A refusal that has to do with authentication
403: A refusal that has NOTHING to do with authentication

Practical Examples

If apache requires authentication (via .htaccess), and you hit Cancel, it will respond with a 401 Authorization Required

If nginx finds a file, but has no access rights (user/group) to read/access it, it will respond with 403 Forbidden

RFC (2616 Section 10)

401 Unauthorized (10.4.2)

Meaning 1: Need to authenticate

The request requires user authentication. …

Meaning 2: Authentication insufficient

… If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. …

403 Forbidden (10.4.4)

Meaning: Unrelated to authentication

… Authorization will not help …

More details:

The server understood the request, but is refusing to fulfill it.

It SHOULD describe the reason for the refusal in the entity

The status code 404 (Not Found) can be used instead

(If the server wants to keep this information from client)

answered Feb 25, 2015 at 9:03

LeviteLevite

17.3k8 gold badges51 silver badges50 bronze badges

I have created a simple note for you which will make it clear.

answered Nov 11, 2021 at 12:19

PrathamPratham

4973 silver badges7 bronze badges

they are not logged in or do not belong to the proper user group

You have stated two different cases; each case should have a different response:

If they are not logged in at all you should return 401 Unauthorized
If they are logged in but don’t belong to the proper user group, you should return 403 Forbidden

Note on the RFC based on comments received to this answer:

If the user is not logged in they are un-authenticated, the HTTP equivalent of which is 401 and is misleadingly called Unauthorized in the RFC. As section 10.4.2 states for 401 Unauthorized:

«The request requires user authentication.»

If you’re unauthenticated, 401 is the correct response. However if you’re unauthorized, in the semantically correct sense, 403 is the correct response.

answered Oct 1, 2012 at 14:34

Zaid MasudZaid Masud

13.2k9 gold badges67 silver badges88 bronze badges

In English:

401

You are potentially allowed access but for some reason on this request you were
denied. Such as a bad password? Try again, with the correct request
you will get a success response instead.

403

You are not, ever, allowed. Your name is not on the list, you won’t
ever get in, go away, don’t send a re-try request, it will be refused,
always. Go away.

answered Apr 8, 2020 at 14:23

JamesJames

4,6535 gold badges37 silver badges48 bronze badges

401: Who are you again?? (programmer walks into a bar with no ID or invalid ID)

403: Oh great, you again. I’ve got my eye on you. Go on, get outta here. (programmer walks into a bar they are 86’d from)

answered Aug 11, 2022 at 23:10

emeryemery

8,67310 gold badges44 silver badges51 bronze badges

401: You need HTTP basic auth to see this.

If the user just needs to log in using you site’s standard HTML login form, 401 would not be appropriate because it is specific to HTTP basic auth.

403: This resource exists but you are not authorized to see it, and HTTP basic auth won’t help.

I don’t recommend using 403 to deny access to things like /includes, because as far as the web is concerned, those resources don’t exist at all and should therefore 404.

In other words, 403 means «this resource requires some form of auth other than HTTP basic auth (such as using the web site’s standard HTML login form)».

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2

answered Sep 23, 2017 at 12:33

Val KorneaVal Kornea

4,4893 gold badges40 silver badges41 bronze badges

I think it is important to consider that, to a browser, 401 initiates an authentication dialog for the user to enter new credentials, while 403 does not. Browsers think that, if a 401 is returned, then the user should re-authenticate. So 401 stands for invalid authentication while 403 stands for a lack of permission.

Here are some cases under that logic where an error would be returned from authentication or authorization, with important phrases bolded.

A resource requires authentication but no credentials were specified.

401: The client should specify credentials.

The specified credentials are in an invalid format.

400: That’s neither 401 nor 403, as syntax errors should always return 400.

The specified credentials reference a user which does not exist.

401: The client should specify valid credentials.

The specified credentials are invalid but specify a valid user (or don’t specify a user if a specified user is not required).

401: Again, the client should specify valid credentials.

The specified credentials have expired.

401: This is practically the same as having invalid credentials in general, so the client should specify valid credentials.

The specified credentials are completely valid but do not suffice the particular resource, though it is possible that credentials with more permission could.

403: Specifying valid credentials would not grant access to the resource, as the current credentials are already valid but only do not have permission.

The particular resource is inaccessible regardless of credentials.

403: This is regardless of credentials, so specifying valid credentials cannot help.

The specified credentials are completely valid but the particular client is blocked from using them.

403: If the client is blocked, specifying new credentials will not do anything.

answered Jun 2, 2018 at 23:34

401 response code means one of the following:

An access token is missing.
An access token is either expired, revoked, malformed, or invalid.

A 403 response code on the other hand means that the access token is indeed valid, but that the user does not have appropriate privileges to perform the requested action.

answered Feb 17, 2022 at 11:16

Ran TurnerRan Turner

15k5 gold badges47 silver badges53 bronze badges

Given the latest RFC’s on the matter (7231 and 7235) the use-case seems quite clear (italics added):

401 is for unauthenticated («lacks valid authentication»); i.e. ‘I don’t know who you are, or I don’t trust you are who you say you are.’

401 Unauthorized

The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.

If the request included authentication credentials, then the 401
response indicates that authorization has been refused for those
credentials. The user agent MAY repeat the request with a new or
replaced Authorization header field (Section 4.2). If the 401
response contains the same challenge as the prior response, and the
user agent has already attempted authentication at least once, then
the user agent SHOULD present the enclosed representation to the
user, since it usually contains relevant diagnostic information.

403 is for unauthorized («refuses to authorize»); i.e. ‘I know who you are, but you don’t have permission to access this resource.’

403 Forbidden

The 403 (Forbidden) status code indicates that the server understood
the request but refuses to authorize it. A server that wishes to
make public why the request has been forbidden can describe that
reason in the response payload (if any).

If authentication credentials were provided in the request, the
server considers them insufficient to grant access. The client
SHOULD NOT automatically repeat the request with the same
credentials. The client MAY repeat the request with new or different
credentials. However, a request might be forbidden for reasons
unrelated to the credentials.

An origin server that wishes to «hide» the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).

answered Jun 5, 2018 at 15:26

cjbarthcjbarth

4,2016 gold badges43 silver badges62 bronze badges

I have a slightly different take on it from the accepted answer.

It seems more semantic and logical to return a 403 when authentication fails and a 401 when authorisation fails.

Here is my reasoning for this:

When you are requesting to be authenticated, You are authorised to make that request. You need to otherwise no one would even be able to be authenticated in the first place.

If your authentication fails you are forbidden, that makes semantic sense.

On the other hand the forbidden can also apply for Authorisation, but
Say you are authenticated and you are not authorised to access a particular endpoint. It seems more semantic to return a 401 Unauthorised.

Spring Boot’s security returns 403 for a failed authentication attempt

answered Apr 6, 2022 at 22:44

I think it’s easier like this:

401 if the credentials you are using is not recognized by the system, for example if it’s different realm or something.

if you managed to pass 401

403 if you are not allowed to access the resource, if you get this when you are not authenticated, chances are you won’t be getting it even if you are authenticated, the system doesn’t check if you have credentials or not.

Disclosure: I haven’t read the RFCs.

answered Jul 10 at 20:47

firehfireh

212 bronze badges

In the case of 401 vs 403, this has been answered many times. This is essentially a ‘HTTP request environment’ debate, not an ‘application’ debate.

There seems to be a question on the roll-your-own-login issue (application).

In this case, simply not being logged in is not sufficient to send a 401 or a 403, unless you use HTTP Auth vs a login page (not tied to setting HTTP Auth). It sounds like you may be looking for a «201 Created», with a roll-your-own-login screen present (instead of the requested resource) for the application-level access to a file. This says:

«I heard you, it’s here, but try this instead (you are not allowed to see it)»

answered Dec 12, 2014 at 19:01

Источник

«Четырёхсотые» коды состояния описывают проблемы на стороне клиента: обычно они возникают, когда браузер отправляет серверу некорректный HTTP-запрос.

Но на практике бывает по-разному. Например, ошибка 403 может появиться из-за неправильной логики на сервере. В этой статье попробуем разобрать все возможные причины.

Что означает ошибка 403 (Forbidden)
Что могло пойти не так

Ошибки на стороне пользователя
Ошибки на стороне сайта
Ограничения на стороне хостера или провайдера

Как исправить ошибку 403

Что делать владельцу сайта
Что делать пользователю

Ошибка 403 (Forbidden) — это когда сервер понял запрос, но почему-то отказывается выполнять его и отдавать браузеру HTML-код страницы.

Помимо «Forbidden», сервер может описать ошибку и другими словами: «error access denied» (доступ запрещён), «you don’t have permission to access» (нет разрешения на вход) и так далее. Сообщения разные, но смысл один.

В идеальном мире ошибка с кодом 403 должна возникать, когда доступ к странице пытается получить кто-то, у кого его нет, — например, неавторизованный пользователь.

Но в реальности возможных причин гораздо больше: это и проблемы с устройством пользователя, и неправильно настроенные компоненты сайта, и ограничения со стороны хостера или провайдера, и много что ещё.

Нужна регистрация. Пользователь не авторизован, а для доступа к странице это обязательно. При таком сценарии исправить ошибку просто — залогиниться на сайте.

Неправильный URL-адрес. Возможно, вы случайно постучались на какую-то секретную страничку, а это ни вам, ни серверу не нужно. Банально, но стоит перепроверить ссылку ещё разок.

Проблема в устройстве. Проверить это можно, зайдя на страницу с другого девайса. Если всё откроется, значит, дело в конкретной технике. Причины у этого могут быть разные:

Неправильные данные в кэше. Тогда можно почистить его или перезагрузить страницу сочетанием Ctrl + F5 (при таком принудительном обновлении кэш игнорируется).
Устаревшие данные в cookies. Если проблема в этом, то достаточно почистить их, и всё заработает.
Вы заходите на страницу со смартфона, на котором включён режим экономии трафика. Из-за него браузер может не передавать сайту какие-то нужные ему данные — это и вызывает HTTP-ошибку Forbidden. В этом случае достаточно отключить экономию трафика.

Впрочем, иногда ошибка 403 возникает правомерно. Например, если вы были заблокированы на сайте или пытаетесь получить доступ к служебной странице. В таком случае обратитесь к владельцу сайта, чтобы он снял бан или выдал нужные права.

Кадр: сериал «Парки и зоны отдыха» / NBC

«Forbidden» может возникнуть, если что-то не так с компонентами сайта. Вот несколько возможных проблем, которые может и должен решить администратор сайта.

Некорректный индексный файл. Это файл, который указывает на главную страницу домена или поддомена. Нужно, чтобы у него были правильное название и формат — а они, в свою очередь, определяются CMS, которой вы пользуетесь. Например, для сайтов на WordPress это может быть index.html, index.htm или index.php.

А ещё индексный файл должен находиться в корневой папке домена или поддомена — смотря к чему он относится.

Неправильно расположены файлы сайта. Как и index, другие файлы сайта тоже должны лежать в корневой директории. Где именно — зависит от CMS и хостинга, которые вы используете.

Неверно настроены права доступа. У каждого файла и папки есть права доступа, которые состоят из трёх цифр от 0 до 7: первая — права владельца, вторая — групповые права, третья — публичные права. Сама цифра означает, какие права предоставлены этой группе.

Если у пользователя нет прав на выполнение действия, то он получит HTTP-ошибку 403 Forbidden. Обычно на папки выставляют доступ 755, на файлы — 644.

Проблемы с плагином. Если вы устанавливали плагины для своей CMS, то вызвать код 403 может какой-то из них. Возможно, он не обновился до последней версии, повреждён или несовместим с конфигурациями сайта.

Вот как это проверить, если у вас WordPress:

Перейдите в раздел wp-content и найдите папку plugins.
Переименуйте её — это отключит работу всех плагинов.
Если проблема уйдёт, значит, дело было в плагинах.

Далее можно включать плагины обратно и искать конкретного виновника. Чтобы это сделать, отключайте их по очереди и обновляйте страницу — где-то по пути точно обнаружите, где с каким плагином проблема.

Некорректные указания в файле .htaccess. Если вы используете Apache Web Server, попробуйте переименовать файл .htaccess. Так же как и с плагинами, это отключит его и позволит понять, виновен ли он в ошибке.

Если дело всё-таки в .htaccess, проверьте и исправьте его директивы. Вот на какие условия стоит обратить внимание:

deny (запрещает доступ);
allow (разрешает доступ);
require (запрещает или разрешает доступ всем, кроме указанных пользователей);
redirect (перенаправляет запрос на другой URL);
RewriteRule (преобразует строку с помощью регулярных выражений).

Действия пользователя блокирует брандмауэр. Брандмауэры веб-приложений могут автоматически блокировать действия пользователей, которые считают вредоносными, и возвращать им Forbidden.

Чтобы проверить, в этом ли дело, отключите брандмауэр и повторите запрещённое действие. Если сработает — проблема найдена. Проверьте журнал брандмауэра: там должна быть указана конкретная причина блокировки запроса.

Узнав причину, добавьте её в исключения, и такие запросы будут выполняться корректно.

Тариф хостинга не поддерживает инструменты. Например, вы пишете на PHP 8, а тариф рассчитан только на PHP 7.4. В таком случае придётся либо перейти на другую версию инструмента, либо сменить тариф (а может, и целого хостера).

Бывает так: с логикой на сервере всё в порядке, HTTP-запрос составлен корректно, а ошибка 403 всё равно возникает. Но подождите кричать «Тысяча чертей!» — возможно, шайба на стороне посредника.

Хостер прекратил обслуживание сайта. Просрочка платежа, нарушение условий хостинга, блокировки Роскомнадзора и другие малоприятные истории. Самое время проверить почту — обычно доступ к сайту не отключают без предупреждения.

Не успел обновиться кэш DNS-серверов. Если ваш сайт переезжал на другой адрес, в кэше DNS-серверов могли остаться устаревшие данные. Остаётся только ждать. Обычно кэш обновляется в течение суток, но в редких случаях процесс может занять два-три дня.

Проблемы на стороне провайдера. Возможно, у него неправильно настроена конфигурация оборудования или он заблокировал вас намеренно. Выход один и для пользователя, и для владельца сайта — обратиться к провайдеру.

Да-а, такая маленькая ошибка, а проблем — как с запуском Falcon Heavy на Марс. Держите чек-лист, который поможет не запутаться и быстро всё пофиксить.

Выясните, на чьей стороне проблема. Во-первых, зайдите на сайт самостоятельно — лучше один раз увидеть, чем прочитать тысячу тикетов в техподдержке. Во-вторых, проверьте почту — нет ли там писем счастья от хостера или Роскомнадзора?

Проверьте настройки сайта. Пробегитесь по списку ошибок, о которых мы писали выше. Перебирайте один вариант за другим, пока не поймёте, где собака зарыта.

Если ничего не помогает — обратитесь за помощью к своему хостинг-провайдеру.

Перепроверьте URL страницы: правильный ли он? Вы могли кликнуть по ошибочной ссылке или сайт переехал на другой адрес, а поисковики этого ещё не поняли.
Проверьте, авторизованы ли вы на сайте. Залогиньтесь, если есть такая возможность.
Зайдите на страницу с другого устройства. Если сайт заработал — проблема в устройстве. Попробуйте перезагрузить страницу, почистить кэш и cookies браузера или отключить экономию трафика.
Включите или выключите VPN. Возможно, доступ к сайту блокируется по IP-адресу для пользователей из определённой страны или региона. Попробуйте использовать IP-адреса разных стран.
Подключитесь к другой сети. Например, если пользуетесь 4G, перейдите на Wi-Fi. Это поможет понять, есть ли проблемы на стороне поставщика интернета.

Если ничего не помогает, значит, проблема на стороне сайта. Обратитесь в техподдержку и сообщите об ошибке — возможно, о ней ещё никто не знает.

Источник

Код состояния ответа HTTP 403 Forbidden означает,что сервер понимает запрос,но отказывается его авторизовать.

Хотя поначалу это может показаться пугающим, сообщение об ошибке «403 запрещено» решить проще, чем вы думаете. Это просто означает, что по какой-то заранее определенной причине содержимое веб-сайта, к которому вы пытаетесь получить доступ, заблокировано.

Всегда стоит попробовать обновить страницу.Во многих случаях ошибка 403 является временной,и простое обновление может помочь.Большинство браузеров используют для обновления Ctrl+R в Windows или Cmd+R в Mac,а также предоставляют кнопку Refresh где-нибудь в адресной строке.

403 Forbidden

Код состояния ответа HTTP 403 Forbidden указывает, что сервер понимает запрос, но отказывается его авторизовать.

Этот статус аналогичен 401 , но для кода статуса 403 Forbidden повторная аутентификация не имеет значения. Доступ постоянно запрещен и привязан к логике приложения, например, недостаточные права на ресурс.

Status

Example response

HTTP/1.1 403 Forbidden
Date: Wed, 21 Oct 2015 07:28:00 GMT

Specifications

Browser compatibility

	Desktop	Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	WebView Android	Chrome Android	Firefox для Android	Opera Android	Safari на IOS	Samsung Internet
`403`	Yes	12	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes

Общая информация о HTTP кодах ошибок клиента

HTTP код ошибки 400, код ошибки 401, код ошибки клиента 402, код ошибки 403, HTTP код ошибки клиента 404, ошибка клиента 405

HTTP код ошибки 406, код ошибки 407, HTTP код ошибки клиента 408, код ответа сервера 409, код ошибки 410, код ошибки клиента 411, HTTP код 412

HTTP код ошибки клиента 413, код ошибки клиента 414, ошибка клиента 415, ошибка 416, HTTP код 417

1xx informational response

2xx success

3xx redirection

4xx client errors

5xx server errors

Unofficial codes

Internet Information Services

nginx

Cloudflare

AWS Elastic Load Balancing

Caching warning codes (obsoleted)

See also

Explanatory notes

References

External links

Brief and Terse

Detailed and In-Depth

TL;DR

Practical Examples

RFC (2616 Section 10)

401 Unauthorized (10.4.2)

403 Forbidden (10.4.4)

403 Forbidden

403 Forbidden

Status

Example response

Specifications

Browser compatibility

See also

HTTP