httphttp-status-codeshttp-status

What's the appropriate HTTP status code when the request is missing a required cookie?


I have an API endpoint and the request should have a cookie (not authentication). What would be the correct HTTP status code to return if it isn't present?

I would assume a 400 Bad Request would be the best.


Solution

  • No much details are provided in your question, but I guess 400 (Bad Request) is a good option:

    6.5.1. 400 Bad Request

    The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

    However, depending on your requirements, you also could consider the 422 (Unprocessable Entity) status code, defined in the WebDAV specification, which is just an extension of the HTTP protocol:

    11.2. 422 Unprocessable Entity

    The 422 (Unprocessable Entity) status code means the server understands the content type of the request entity (hence a 415 (Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a 400 (Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.


    Just remember providing a good description in the response payload explaining what's missing in the request.