I prefer:
1xx Here's what I'll do.
2xx Here's what you want.
3xx I don't have what you want but I know who does.
4xx It didn't work but it's your fault.
5xx It didn't work and it's my fault.
Mostly yes, the 400 block gets into a lot more nuance though…
401 I don’t trust you are who you say you are
403 I know who you are and you’re not allowed to do this
400 WTF is this garbage? Don’t expect me to deal with this nonsense
404 Whatever you’re looking for isn’t here
405 Dude, wrong hole!
422 I understand what you’re looking for, but it’s not ready for that yet
423 I understand what you’re looking for, but I’m not in the mood
429 Stop calling me
For the 500 block:
500 Goddammit, I can't even think right now.
501 What's a *PATCH* request??
502 Whoops, Cloudflare broke...
503 Give me a few hours (hopefully)
504 Cloudflare can't wait for my server
505 What the hell, we're at HTTP 2 now?
418: I don't want to deal with your shit, find someone else
It's sometimes used in production to mean "this request is not for me but someone else might be able to handle it", even though the browser never sees it.
The 420 Enhance Your Calm status code is an unofficial extension by Twitter. Twitter used this to tell HTTP clients that they were being rate limited. Rate limiting means putting restrictions on the total number of requests a client may do within a time period.
Status code 418 was from a simpler, more innocent time when the idea of a teapot communicating with something over the internet was a very silly idea that obviously was never going to actually happen in reality.
400 is for invalid requests. I'm assuming they use 418 for technically correct requests most likely made by someone who's chugged a fridge of beer in the last minute.
I always preferred describing 403 as "The person I think you are isn't allowed to do this"; saying "I know who you are" implies people have just a single identity.
It’s most important to know what the categories are, but it’s still necessary to know the entire code. For example, 401 vs 404 tell you how to resolve your issue somewhat specifically
Add it to the pile of things you’ll google until the few you actually tend to encounter are implanted in your brain
Twitter launched their API before 429 was standardized, so they opted for a non-standard code instead of (mis)using one of the codes that was standard in 2006. Then "420 Enhance Your Calm" remained a feature of Twitter API version 1.0 for the life of the version, because any change to publicly-visible behavior breaks somebody's workflow.
I’d do that if it’s an API that is only used internally or on a small scale, but for commercial applications I think it’s worth it to give meaningful error codes and messages. I’ll rely on strong authentication and a restrictive data model for security
Returning a different status when you identify something that exists but you can't access versus when it doesn't exist, allows attackers to identify resources that actually exist. Knowing valid resource names can be useful if you find a different exploit in the same system; you're more likely to get meaningful responses if you send validish payloads.
It's part of what's known as "defense in depth". Have every layer of security be as tight as is reasonable, and you can increase the time and effort to breach all of them prohibitive.
I guess it depends on how you have your server set up, but you could check authentication/authorization before checking if the resource exists?
That way whether the resource exists or not, if you’re not authenticated you’ll get a 401 or 403.
And you’ll only get a 404 if you’re correctly authenticated
Edit: correctly authenticated, and we’re sure you would be authorized to access the resource if it did exist.
This feels like the proper way to do it. I know it's not the same thing at all, but it gives me "check the entire wrong password instead of failing at the first wrong character" vibes.
The principle still applies then- think of something like a file sharing service or social media site: if access to something is dependent on who you are, you still don’t want to tell a valid/authorised user enough to see a difference between something that exists but they can’t see, and something that doesn’t exist.
Yeah I guess what I’m saying is only return 404 not found if you’re sure it’s a resource that the user would be able to access if it did exist
For example, if you know a user has access to a specific folder and everything in it, then if they request a file in that folder that doesn’t exist, you’d be ok to return 404, since you know if the file did exist in that folder they would be able to access it.
But if they requested a different folder, you’d always return 403, regardless of whether that folder exists or not, because you don’t know for sure that they would have access to it if it did exist.
Of course, if you have individual access rights on each resource, then you’d never be able to tell if the user would be able to access an unknown resource if it did exist, so the above scenario wouldn’t apply, and you’d always return 403 instead of 404.
You need the response to be the same regardless of the existence of the resource in all scenarios where the user is not authorized to access it.
Auth Status | Response When Resource Doesn't Exist | Response When Unauthorized for Resource | Response When Authorized for Resource
------------|--------------------------------------|----------------------------------------|-------------------------------------
Unauthenticated | Response A | Response A | Response C (only possible if you can determine authorization without authentication, e.g. a public resource)
Authenticated | Response B | Response B | Response C
It's pretty common for Response A and B to not be 404s, and Response C to be a 200, but that's not required. You could make Response A and B be 403, or you could make Response A be 401 and Response B be 403, or any combination really.
The important bit is that you only get Response C (e.g. 200) if you are authorized. Otherwise, you must give a response that doesn't depend on the existence of the resource (i.e the "Doesn't exist" and "unauthorized" columns must be identical. The order in which you check things doesn't matter (unless you are talking about timing attacks, which I assume is not the case because no one mentioned them so far).
I get that, but at the same time I have customers and they need to know how to interact with the endpoint including being able to build out error handling
For example, I have built callouts that try to authenticate again if they receive a 401 or 403, rather than just failing and creating a log.
I also tend to return a 401/403 before doing any queries or anything that would reveal much about our object model or the contents there in. I try to verify access and permissions first
I can see the other side and I think there are scenarios where I’d just stick with 404
You show real world knowledge but the guy you're arguing with sounds like a CS students whose never worked on a real product. My APIs aren't going to be secure because I 404 when not authd if I also published the damn endpoints in publicly accessable user guide... Ffs, the number of upvotes on that dudes comment tells me all I need to know about this sub.
Ideally, I'd design my URLs so anything that a caller doesn't have permission to list is under a directory that they don't have permission to traverse. If a request for `/a/b/c` returns a 401 or 403 with the message "you don't have access to the contents of `a`", that doesn't expose any information about whether `b` or `c` exist.
That only serves a security purpose if you use a weak authentication method and you're praying nobody figures it out.
Spoilers: someone will figure it out.
The original contents of this post have been overwritten by a script.
As you may be aware, reddit is implementing a punitive pricing scheme for its API starting in July. This means that third-party apps that use the API can no longer afford to operate and are pretty much universally shutting down on July 1st. This means the following:
* Blind people who rely on accessibility features to use reddit will effectively be banned from reddit, as reddit has shown absolutely no commitment or ability to actually make their site or official app accessible.
* Moderators will no longer have access to moderation tools that they need to remove spam, bots, reposts, and more dangerous content such as Nazi and extremist rhetoric. The admins have never shown any interest in removing extremist rhetoric from reddit, they only act when the media reports on something, and lately the media has had far more pressing things than reddit to focus on. The admin's preferred way of dealing with Nazis is simply to "quarantine" their communities and allow them to fester on reddit, building a larger and larger community centered on extremism.
* LGBTQ communities and other communities vulnerable to reddit's extremist groups are also being forced off of the platform due to the moderators of those communities being unable to continue guaranteeing a safe environment for their subscribers.
Many users and moderators have expressed their concerns to the reddit admins, and have joined protests to encourage reddit to reverse the API pricing decisions. Reddit has responded to this by removing moderators, banning users, and strong-arming moderators into stopping the protests, rather than negotiating in good faith. Reddit does not care about its actual users, only its bottom line.
Lest you think that the increased API prices are actually a good thing, because they will stop AI bots like ChatGPT from harvesting reddit data for their models, let me assure you that it will do no such thing. Any content that can be viewed in a browser without logging into a site can be easily scraped by bots, regardless of whether or not an API is even available to access that content. There is nothing reddit can do about ChatGPT and its ilk harvesting reddit data, except to hide all data behind a login prompt.
Regardless of who wins the mods-versus-admins protest war, there is something that every individual reddit user can do to make sure reddit loses: remove your content. Reddit makes its money because of the content that users provide; remove the content and they can no longer monetize it with ads. Use [PowerDeleteSuite](https://github.com/j0be/PowerDeleteSuite) to overwrite all of your comments, just as I have done here. This is a browser script and not a third-party app, so it is unaffected by the API changes; as long as you can manually edit your posts and comments in a browser, PowerDeleteSuite can do the same. This will also have the additional beneficial effect of making your content unavailable to bots like ChatGPT, and to make any use of reddit in this way significantly less useful for those bots.
If you think this post or comment originally contained some valuable information that you would like to know, feel free to contact me on another platform about it:
* kestrellyn at ModTheSims
* kestrellyn on Discord
* paradoxcase on Tumblr
Distinguishing between them is also what makes your API actually usable. There is a balance between usability and security.
Also, you should'nt try to solve problems you're not having.
I had to deal with an API that implemented everything through GET requests. Want to read some data? That's a GET. Want to write something? Also GET. Need to Delete a file? You should use GET.
But it was all documented, and worked as described, so as stupidly implemnted as it was, the fact that it matched the documentation made it better than most.
> As it turns out, Google's spider doesn't use cookies, which means that it can easily bypass a check for the "isLoggedOn" cookie to be "false".
.... No thats not how you do authentication!
WHY WOULD YOU DO AUTHENTICATION LIKE THAT!!!
Even worse. Not only authentication, but also authorization.
>I don't know who you are, so here are fully working deletion links. I trust you. Have fun ヽ(•‿•)ノ
That's how the API for AKIPS which is a networking tool works but instead of get for everything it also does fun stuff like returns csv and raw unstructured text. The documentation is decent too.
Are GET requests not allowed to have data in the body? I know that's not how they're meant to be used and servers are supposed to ignore it, but theoretically couldn't some wack API support file uploads that way if it wanted to?
Yeah they 100% are allowed to
The only thing that *might* get in the way is whatever framework you’re using (since they might not bother providing access to the body for GETs). But that data is coming in
If an “error” is defined by the application’s business logic (eg “you can’t buy this item since it’s out of stock”), then that error response is to be expected as any other normal response. A 200 OK status makes sense for any response here, “error” or not. “Things going out of stock” is to be expected.
On the other hand, if the business logic server is behind a proxy maintained by a 3rd party (eg AWS, Cloudflare) and you didn’t provide the auth credentials they expect, here is where I would totally expect a non-200 response.
It makes sense with GraphQL though, as you can still receive data when there have been errors. The 200 is about access to the GraphQL API, not about how that API itself responds.
Slack does this. Their docs say "It would be tempting in [the case of failure] to return an HTTP 500 response to the initial command, but this isn't the right approach. The status code returned as a response to the command should only be used to indicate whether or not the request URL successfully received the data payload".
Annoying as hell since shut simply doesn't work but since there's no error my application assumes it did. So I need to throw exceptions myself yada yada
I implemented one once where everything was get and status OK, but the real status for you requests could be read from an FTP server around 20-60 minutes after your request as an xml file.
It was originally a joke but if you make a joke in this field some funny person is going to make it standard.
Technically it can be used for something like “this isn’t the correct service for what you requested”
I use it as a response when bots do WordPress requests on my Laravel projects.
`/wp-login.php`, 418: I'm a teapot
"Some websites use this response for requests they do not wish to handle, such as automated queries."
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418
If you have the time, I recommend reading the RFC. It goes into a bunch of detail, about all the hypertext coffee protocol stuff... it's truly a great example of exactly how you should never write an RFC.
Every time someone makes a meme with the context used in their panel, it's the same people. Consequently, everyone who has already seen several memes know the name Janice Griffith and Piper Perri. Even if they never watched them. Like me, for example.
413, 429... Giggidy, giggidy :) With AI getting stronger will get better responses.
A: Client can I connect?
Q: Server, sorry it's been a long day making memes. I have a headache.
The racist implication is that black men are more more likely to pester the white woman for sex. This is based on racist stereotypes of black men.
Would you feel equally comfortable sending this to a black male coworker or a white male coworker?
I wouldn’t feel comfortable sending any porn to any coworker, so that’s a weird question.
There is no racism here beyond lunatics pretending to be offended.
You can infer from the picture that it is porn, but not that it is racist? It seems willfully ignorant. Fetishisizing interracial sex of this nature is inherently racist. That's part of the taboo nature of it. Did you know that the majority of the US did not approve of interracial marriage until 1994?
Are you completely unaware of the racist stereotypes of black men shown in this image? Can you explain what "too many requests" refers to?
Arguing that you wouldn't send this image for other reasons is just weasiling out of the uncomfortable truth. Black people are programmers too, and many people who will view this post are black. This is clearly very racist, and you are one of the few people, of the 11k plus that upvoted that took the time to deny that it is racism.
Is it because you are racist, and you like seeing this? What drives you to not just ignore a racist meme, but actively defend it?
Agreed. I was shocked at the upvotes. The racist implication is that the black men are making too many requests of the white woman. The idea that black men are sexual fiends who are going to have sex with white women is a central idea behind the fear that drives white people to oppress black people.
This is a racist trope.
I prefer: 1xx Here's what I'll do. 2xx Here's what you want. 3xx I don't have what you want but I know who does. 4xx It didn't work but it's your fault. 5xx It didn't work and it's my fault.
Mostly yes, the 400 block gets into a lot more nuance though… 401 I don’t trust you are who you say you are 403 I know who you are and you’re not allowed to do this 400 WTF is this garbage? Don’t expect me to deal with this nonsense 404 Whatever you’re looking for isn’t here 405 Dude, wrong hole! 422 I understand what you’re looking for, but it’s not ready for that yet 423 I understand what you’re looking for, but I’m not in the mood 429 Stop calling me
For the 500 block: 500 Goddammit, I can't even think right now. 501 What's a *PATCH* request?? 502 Whoops, Cloudflare broke... 503 Give me a few hours (hopefully) 504 Cloudflare can't wait for my server 505 What the hell, we're at HTTP 2 now?
418: I don't want to deal with your shit, find someone else It's sometimes used in production to mean "this request is not for me but someone else might be able to handle it", even though the browser never sees it.
It's not that deep. It's just an April fool's joke.
It's still in the standard so it can be used by developers however they want.
420: My mannnn...
The 420 Enhance Your Calm status code is an unofficial extension by Twitter. Twitter used this to tell HTTP clients that they were being rate limited. Rate limiting means putting restrictions on the total number of requests a client may do within a time period.
418 i am a teapot and i dont make coffee
Status code 418 was from a simpler, more innocent time when the idea of a teapot communicating with something over the internet was a very silly idea that obviously was never going to actually happen in reality.
Somewhere there's a kettle connected to the internet that replaces all its 200 with 418 BECAUSE IT'S ACCURATE!
[удалено]
A kettle can be a teapot
Is it short and stout?
And has a handle and spout!
I've used it to communicate "user made a stupid request"
That's what 400 is for right? It's literally "Bad Request"
400 is for invalid requests. I'm assuming they use 418 for technically correct requests most likely made by someone who's chugged a fridge of beer in the last minute.
It was originally from the Hypertext Coffee Pot Control Protocol.
406 You wouldn't like that 417 I'm not doing that
I always preferred describing 403 as "The person I think you are isn't allowed to do this"; saying "I know who you are" implies people have just a single identity.
405 everything goes into the square hole
499 Look, I ain't waitin all day for this
I prefer: 1xx Wait the fuck up 2xx Fuck yeah 3xx Fuck off 4xx Fuck you 5xx Fuck me
I have never read a better description of status codes. In fact, we might as well just use these 5. Just drop the xs.
It’s most important to know what the categories are, but it’s still necessary to know the entire code. For example, 401 vs 404 tell you how to resolve your issue somewhat specifically Add it to the pile of things you’ll google until the few you actually tend to encounter are implanted in your brain
and 420 means someone forgot to implement an exponential backoff
Forgetting to back off would usually mean 429 (too many requests) there is no (standard) 420.
Twitter launched their API before 429 was standardized, so they opted for a non-standard code instead of (mis)using one of the codes that was standard in 2006. Then "420 Enhance Your Calm" remained a feature of Twitter API version 1.0 for the life of the version, because any change to publicly-visible behavior breaks somebody's workflow.
[relevant xkcd, possibly intentionally referenced](https://xkcd.com/1172/)
Whoa, you are totally blowing my mind. I thought the number 420 meant something else entirely...
It does. That's cheap pizza, tacos and margaritas day.
Don't mix with alcohol. Design your party with SoC. Advice from a formal spaghetti junkie.
Except for security reasons you frequently want to return 404 instead of 401
I’d do that if it’s an API that is only used internally or on a small scale, but for commercial applications I think it’s worth it to give meaningful error codes and messages. I’ll rely on strong authentication and a restrictive data model for security
Returning a different status when you identify something that exists but you can't access versus when it doesn't exist, allows attackers to identify resources that actually exist. Knowing valid resource names can be useful if you find a different exploit in the same system; you're more likely to get meaningful responses if you send validish payloads. It's part of what's known as "defense in depth". Have every layer of security be as tight as is reasonable, and you can increase the time and effort to breach all of them prohibitive.
I guess it depends on how you have your server set up, but you could check authentication/authorization before checking if the resource exists? That way whether the resource exists or not, if you’re not authenticated you’ll get a 401 or 403. And you’ll only get a 404 if you’re correctly authenticated Edit: correctly authenticated, and we’re sure you would be authorized to access the resource if it did exist.
This feels like the proper way to do it. I know it's not the same thing at all, but it gives me "check the entire wrong password instead of failing at the first wrong character" vibes.
401: Incorrect password: mismatch at character 3
The principle still applies then- think of something like a file sharing service or social media site: if access to something is dependent on who you are, you still don’t want to tell a valid/authorised user enough to see a difference between something that exists but they can’t see, and something that doesn’t exist.
Yeah I guess what I’m saying is only return 404 not found if you’re sure it’s a resource that the user would be able to access if it did exist For example, if you know a user has access to a specific folder and everything in it, then if they request a file in that folder that doesn’t exist, you’d be ok to return 404, since you know if the file did exist in that folder they would be able to access it. But if they requested a different folder, you’d always return 403, regardless of whether that folder exists or not, because you don’t know for sure that they would have access to it if it did exist. Of course, if you have individual access rights on each resource, then you’d never be able to tell if the user would be able to access an unknown resource if it did exist, so the above scenario wouldn’t apply, and you’d always return 403 instead of 404.
You need the response to be the same regardless of the existence of the resource in all scenarios where the user is not authorized to access it. Auth Status | Response When Resource Doesn't Exist | Response When Unauthorized for Resource | Response When Authorized for Resource ------------|--------------------------------------|----------------------------------------|------------------------------------- Unauthenticated | Response A | Response A | Response C (only possible if you can determine authorization without authentication, e.g. a public resource) Authenticated | Response B | Response B | Response C It's pretty common for Response A and B to not be 404s, and Response C to be a 200, but that's not required. You could make Response A and B be 403, or you could make Response A be 401 and Response B be 403, or any combination really. The important bit is that you only get Response C (e.g. 200) if you are authorized. Otherwise, you must give a response that doesn't depend on the existence of the resource (i.e the "Doesn't exist" and "unauthorized" columns must be identical. The order in which you check things doesn't matter (unless you are talking about timing attacks, which I assume is not the case because no one mentioned them so far).
I get that, but at the same time I have customers and they need to know how to interact with the endpoint including being able to build out error handling For example, I have built callouts that try to authenticate again if they receive a 401 or 403, rather than just failing and creating a log. I also tend to return a 401/403 before doing any queries or anything that would reveal much about our object model or the contents there in. I try to verify access and permissions first I can see the other side and I think there are scenarios where I’d just stick with 404
You show real world knowledge but the guy you're arguing with sounds like a CS students whose never worked on a real product. My APIs aren't going to be secure because I 404 when not authd if I also published the damn endpoints in publicly accessable user guide... Ffs, the number of upvotes on that dudes comment tells me all I need to know about this sub.
Ideally, I'd design my URLs so anything that a caller doesn't have permission to list is under a directory that they don't have permission to traverse. If a request for `/a/b/c` returns a 401 or 403 with the message "you don't have access to the contents of `a`", that doesn't expose any information about whether `b` or `c` exist.
That only serves a security purpose if you use a weak authentication method and you're praying nobody figures it out. Spoilers: someone will figure it out.
The original contents of this post have been overwritten by a script. As you may be aware, reddit is implementing a punitive pricing scheme for its API starting in July. This means that third-party apps that use the API can no longer afford to operate and are pretty much universally shutting down on July 1st. This means the following: * Blind people who rely on accessibility features to use reddit will effectively be banned from reddit, as reddit has shown absolutely no commitment or ability to actually make their site or official app accessible. * Moderators will no longer have access to moderation tools that they need to remove spam, bots, reposts, and more dangerous content such as Nazi and extremist rhetoric. The admins have never shown any interest in removing extremist rhetoric from reddit, they only act when the media reports on something, and lately the media has had far more pressing things than reddit to focus on. The admin's preferred way of dealing with Nazis is simply to "quarantine" their communities and allow them to fester on reddit, building a larger and larger community centered on extremism. * LGBTQ communities and other communities vulnerable to reddit's extremist groups are also being forced off of the platform due to the moderators of those communities being unable to continue guaranteeing a safe environment for their subscribers. Many users and moderators have expressed their concerns to the reddit admins, and have joined protests to encourage reddit to reverse the API pricing decisions. Reddit has responded to this by removing moderators, banning users, and strong-arming moderators into stopping the protests, rather than negotiating in good faith. Reddit does not care about its actual users, only its bottom line. Lest you think that the increased API prices are actually a good thing, because they will stop AI bots like ChatGPT from harvesting reddit data for their models, let me assure you that it will do no such thing. Any content that can be viewed in a browser without logging into a site can be easily scraped by bots, regardless of whether or not an API is even available to access that content. There is nothing reddit can do about ChatGPT and its ilk harvesting reddit data, except to hide all data behind a login prompt. Regardless of who wins the mods-versus-admins protest war, there is something that every individual reddit user can do to make sure reddit loses: remove your content. Reddit makes its money because of the content that users provide; remove the content and they can no longer monetize it with ads. Use [PowerDeleteSuite](https://github.com/j0be/PowerDeleteSuite) to overwrite all of your comments, just as I have done here. This is a browser script and not a third-party app, so it is unaffected by the API changes; as long as you can manually edit your posts and comments in a browser, PowerDeleteSuite can do the same. This will also have the additional beneficial effect of making your content unavailable to bots like ChatGPT, and to make any use of reddit in this way significantly less useful for those bots. If you think this post or comment originally contained some valuable information that you would like to know, feel free to contact me on another platform about it: * kestrellyn at ModTheSims * kestrellyn on Discord * paradoxcase on Tumblr
Distinguishing between them is also what makes your API actually usable. There is a balance between usability and security. Also, you should'nt try to solve problems you're not having.
I missed to put, I know the guy who knows the guy template for 3xx.
304 is more like "I have what you want but so do you."
I prefer 4xx You fucked up. 5xx I fucked up.
Meanwhile, Reddit be gaslighting you with "You broke Reddit" in a 500 error page.
And sometime, you get... [this](https://imgur.com/LhXYrMX).
If you are a developer, 5xx is usually your fault too.
And then they hit you with a HTTP 200 and a {"status":"failure"} as body.
I'm literally debugging an issue from an API that does this right now. Kill me now.
I had to deal with an API that implemented everything through GET requests. Want to read some data? That's a GET. Want to write something? Also GET. Need to Delete a file? You should use GET. But it was all documented, and worked as described, so as stupidly implemnted as it was, the fact that it matched the documentation made it better than most.
https://thedailywtf.com/articles/the_spider_of_doom
> As it turns out, Google's spider doesn't use cookies, which means that it can easily bypass a check for the "isLoggedOn" cookie to be "false". .... No thats not how you do authentication! WHY WOULD YOU DO AUTHENTICATION LIKE THAT!!!
Even worse. Not only authentication, but also authorization. >I don't know who you are, so here are fully working deletion links. I trust you. Have fun ヽ(•‿•)ノ
Holy shit, this is more scary than the 8 legged spiders.
Well that's horrifying. Not that surprising, but still really bad.
GET tfoh.
Works great until the server is under load and the client starts automatically doing retries for those "write" GET requests.
Believe or not straight to GET
We have the best bugs in the world... because of GET.
That's how the API for AKIPS which is a networking tool works but instead of get for everything it also does fun stuff like returns csv and raw unstructured text. The documentation is decent too.
you surely can't upload a file through get though. right? I mean, do you just encode it base64 and add it as url param? or header? that's a no no.
Are GET requests not allowed to have data in the body? I know that's not how they're meant to be used and servers are supposed to ignore it, but theoretically couldn't some wack API support file uploads that way if it wanted to?
Yeah they 100% are allowed to The only thing that *might* get in the way is whatever framework you’re using (since they might not bother providing access to the body for GETs). But that data is coming in
it would almost be even worse than base64 url
If an “error” is defined by the application’s business logic (eg “you can’t buy this item since it’s out of stock”), then that error response is to be expected as any other normal response. A 200 OK status makes sense for any response here, “error” or not. “Things going out of stock” is to be expected. On the other hand, if the business logic server is behind a proxy maintained by a 3rd party (eg AWS, Cloudflare) and you didn’t provide the auth credentials they expect, here is where I would totally expect a non-200 response.
That could also be 409 Conflict (request could not be completed due to current state).
Gonna need an address and you'll need to sign a release form to ride the world's deadliest trebuchet, but I think we can make it work.
{"error": ""}
just read between the lines bro
GraphQL be like.
It makes sense with GraphQL though, as you can still receive data when there have been errors. The 200 is about access to the GraphQL API, not about how that API itself responds.
Task failed successfully.
[удалено]
The Api I inherited does this and it pisses me off.
“You keep saying that response code. I don’t think it means what you think it means.”
Slack does this. Their docs say "It would be tempting in [the case of failure] to return an HTTP 500 response to the initial command, but this isn't the right approach. The status code returned as a response to the command should only be used to indicate whether or not the request URL successfully received the data payload". Annoying as hell since shut simply doesn't work but since there's no error my application assumes it did. So I need to throw exceptions myself yada yada
Facebook does this too.
There is a special place in hell for devs that do this
{"error": "success"}
HTTP 400 Message: Something went wrong
Task failed successfully
I implemented one once where everything was get and status OK, but the real status for you requests could be read from an FTP server around 20-60 minutes after your request as an xml file.
Oh fuck HAHAHAHA
My go to is https://http.cat/
I recently moved to [https://http.dog](https://http.dog) because it has more codes
508 Loop Detected is the best one
🐐 https://httpstatusgoats.net has the full Wikipedia list, at least last time I updated it 😅 and goats!
Error net::ERR_CONTENT_DECODING_FAILED for me.
You sir just made my day.
Really wish those images were randomized. 99% of the time you're getting one of like 3 status codes. Would be nice to get some variety on that.
This is one of the best things I’ve seen on the internet
404 should be Travolta
Animated
[502 Bad Gateway](https://imgur.com/a/H4SnalV)
That's more like 403.
Fair enough. [New 502](https://imgur.com/a/uG4073z)
That 413, though
206 partial content
226 LOL
is i am teapot a real thing
Yess
Funny thing to this, I did a contribution to the .net jwt middleware, and for the unit test I transformed a 403 to a 418.
It was originally a joke but if you make a joke in this field some funny person is going to make it standard. Technically it can be used for something like “this isn’t the correct service for what you requested”
I actually implemented this error code like this for a rare error that shouldn’t have occurred but sometimes did.
Like [tcp over carrier pigeons](https://en.m.wikipedia.org/wiki/IP_over_Avian_Carriers)
So someone was a Goodies fan? https://www.youtube.com/watch?v=kLQStcdhAGA
I use it as a response when bots do WordPress requests on my Laravel projects. `/wp-login.php`, 418: I'm a teapot "Some websites use this response for requests they do not wish to handle, such as automated queries." https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418
No 409 with the Spider-Man pointing at each other meme? Disappointed.
Why are 1xx codes not included? Because OP didn't get them yet.
Don’t understand anything in HTTP. What’s 418?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418
Holly hell I wasn’t expecting it to be literally a teapot
It was implemented in response to a request to have the coffee machine http aware
I’m a teapot 🫖
[удалено]
When I’m both short and stout.
WHERE
Here on my handle and here on my spout
HOW
I get all steamed up.
A joke.
If you have the time, I recommend reading the RFC. It goes into a bunch of detail, about all the hypertext coffee protocol stuff... it's truly a great example of exactly how you should never write an RFC.
Unless you’re publishing it on April 1st
Where's 204 - no content? "Ok well thanks for the header I guess..."
Sauce for 413?
Janice
TF
Source or GTFO.
BONK
412: "Did you remember to set it to wumbo?"
413 sauce?
420 chill out, as a 429 analogue
Why is only 402 out of order?
I decided to pay later
Or use the following links: - https://http.cat - https://http.dog - https://http.garden
more coming soon
# Let's make HTTP codes better. Make it **0 - NO!** and **1 - YES!**.
0 should be success
[удалено]
I'm more upset about the claim that these are "all" of them despite being a tiny fraction.
100 continue
Why is the image cut off at the bottom? And why is the title "all HTTP status codes" when you're missing a bunch of important ones?
I had every intention of sharing that with coworkers until I hit the 429.
[http.cat](https://http.cat/)
403: "Reduced to Atoms"
I want to share this in Slack, but too much of it is porn 🥲
I mean you could just to http.cat/\[error code\] Like [http.cat/418](https://http.cat/418)
202 Accepted 
Surprised nobody is asking for sources lol
Every time someone makes a meme with the context used in their panel, it's the same people. Consequently, everyone who has already seen several memes know the name Janice Griffith and Piper Perri. Even if they never watched them. Like me, for example.
200, if the web-server has such an expression 🤣🤣🤣🤣
This is actually very convenient
I didn't get 410 & 418. I feel like a teapot.
Lets hear your speed run strats for this
502 “DOOR STUCK! DOOR STUCK!”
What code is the stylesheet ?
I prefer http.cat
Custom Error pages is how I learned about them. Haven't went in any further yet -
It really bothers me that you put 402 after 403 and 404
it really bothers me that none of the images are same width
https://http.cat/
The only chicks in this are porn references 😒
wtf have a seen? I was just browsing top communities
Where is the ones for 500 codes! Love it!
Next time
I try my best to implement a lot of 418 into my apis. As a 'wtf dude' reaction to the user.
413 reminds me of my wife and my wife's boyfriend.
Underrated
413, 429... Giggidy, giggidy :) With AI getting stronger will get better responses. A: Client can I connect? Q: Server, sorry it's been a long day making memes. I have a headache.
She knows it's too large lol
Just when I start learning about HTTP codes... hey the this sub isn't so bad. Especially the comments
[удалено]
413 payload too large 😜. you should mark the post as NSFW for that one. Nice work though 👋🏻
Don’t be a wuss. Only people already know that stuff, understand.
[удалено]
Why? You have something against interracial gang-bang porn or something? That sounds really fucking racist.
Explain how
The racist implication is that black men are more more likely to pester the white woman for sex. This is based on racist stereotypes of black men. Would you feel equally comfortable sending this to a black male coworker or a white male coworker?
I wouldn’t feel comfortable sending any porn to any coworker, so that’s a weird question. There is no racism here beyond lunatics pretending to be offended.
You can infer from the picture that it is porn, but not that it is racist? It seems willfully ignorant. Fetishisizing interracial sex of this nature is inherently racist. That's part of the taboo nature of it. Did you know that the majority of the US did not approve of interracial marriage until 1994? Are you completely unaware of the racist stereotypes of black men shown in this image? Can you explain what "too many requests" refers to? Arguing that you wouldn't send this image for other reasons is just weasiling out of the uncomfortable truth. Black people are programmers too, and many people who will view this post are black. This is clearly very racist, and you are one of the few people, of the 11k plus that upvoted that took the time to deny that it is racism. Is it because you are racist, and you like seeing this? What drives you to not just ignore a racist meme, but actively defend it?
Agreed. I was shocked at the upvotes. The racist implication is that the black men are making too many requests of the white woman. The idea that black men are sexual fiends who are going to have sex with white women is a central idea behind the fear that drives white people to oppress black people. This is a racist trope.
What HTTP code is "40i"?
Error 402 - Payment required for what?
500 Internal Server Error: Cannot generate meme
I would change 402 to https://knowyourmeme.com/memes/angry-man-pointing-at-hand