Re: [mod-security-users] Feedback on changing default HTTP 500 Response
Brought to you by:
victorhora,
zimmerletw
From: Kelson V. <ke...@sp...> - 2006-09-20 06:32:23
|
On Sep 19, 2006, at 9:55 PM, Jim Watt wrote: > I haven't done it, but "410 - Gone" seems reasonable to me. The > problem > with 500 is clear - what if there really is an internal server error? > 403 is ambiguous for the same reason. But 410 is described this way > by w3.org, quoting from RFC 2616 (http://www.w3.org/Protocols/ > rfc2616/rfc2616-sec10.html): I disagree, based on the same section you quoted (more about that after the quote): > -------------------- > The requested resource is no longer available at the server and no > forwarding address is known. This condition is expected to be > considered permanent. Clients with link editing capabilities SHOULD > delete references to the Request-URI after user approval. If the > server does not know, or has no facility to determine, whether or > not the condition is permanent, the status code 404 (Not Found) > SHOULD be used instead. This response is cacheable unless indicated > otherwise. > > The 410 response is primarily intended to assist the task of web > maintenance by notifying the recipient that the resource is > intentionally unavailable and that the server owners desire that > remote links to that resource be removed. Such an event is common > for limited-time, promotional services and for resources belonging > to individuals no longer working at the server's site. It is not > necessary to mark all permanently unavailable resources as "gone" > or to keep the mark for any length of time -- that is left to the > discretion of the server owner. The way I read it is that 410 is a permanent version of 404. "This document is gone and it's never coming back," as opposed to "I can't find this document." If the resource actually still exists, and access is being blocked for security reasons, I think 403 - Forbidden would be more accurate: > The server understood the request, but is refusing to fulfill it. > Authorization will not help and the request SHOULD NOT be repeated. > If the request method was not HEAD and the server wishes to make > public why the request has not been fulfilled, it SHOULD describe > the reason for the refusal in the entity. If the server does not > wish to make this information available to the client, the status > code 404 (Not Found) can be used instead. Seems clear: the server understood the request and is refusing to fulfill it, and authorization will not help. FWIW, I've seen several blogspam filters use 412 Precondition Failed. (One example is older versions of the Bad Behavior plugin for WordPress, which has since switched to 403) It's still overloading the status codes, though. |