What response code to return for insecure POST not acceptable?

StackOverflow https://stackoverflow.com/questions/8783080

Question

If somebody accesses my server via http (i. e. not https) then I redirect GET requests to the https version.

But I don't know what to do with POST and PUT because I cannot redirect them (the browser does a GET on redirect I believe).

I should return an error code. What HTTP error code should I return?

Was it helpful?

Solution

http://www.ietf.org/id/draft-ietf-httpbis-p2-semantics-18.txt explains HTTP response codes. If you want an error code, just return a 404 if requests cannot be serviced at that URL.

7.4.5. 404 Not Found

The server has not found anything matching the effective request URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

OTHER TIPS

Typically, you would return a 403 - Forbidden. The general description of this is "The server understood the request, but refuses to authorize it." which would fit your situation.

Technically right answer is to use 403.4 but substatuses it's a IIS only feature and nginx doesn't support it.

So I've prefer to return 418 "I'm a teapot" or 451 "Unavailable For Legal Reasons" (because it's not legal to use plain-text http anymore, haha, just joking :)), this statuses quite exotic and should trigger client to figure out what going on.

nginx has an option to return status with text like

# cat /etc/nginx/conf.d/default.conf
server {
    listen       80 default_server;


    location / {
        add_header Content-Type text/plain;
        return 418 "TLS REQUIRED";
    }
}

# curl -v  http://localhost/
* About to connect() to localhost port 80 (#0)
*   Trying ::1...
* Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 418
< Server: nginx/1.16.1
< Date: Sat, 15 Feb 2020 07:13:20 GMT
< Content-Type: application/octet-stream
< Content-Length: 12
< Connection: keep-alive
<
* Connection #0 to host localhost left intact
TLS REQUIRED

But browsers like Chrome or Firefox can't handle this right, Chrome says ERR_INVALID_RESPONSE and Firefox says "File not found" and this behavior doesn't solve our goal.

So I've stay with just returning status 418.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top