Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Codidact Meta!

Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.

Post History

75%
+4 −0
Q&A "Forbidden" ("403") page actually uses HTTP status 401 Unauthorized instead of 403 Forbidden for deleted posts without permission

There's a variety of actions which results in a display page saying "403 FORBIDDEN"; for example, accessing a deleted question without sufficient reputation to view deleted questions, including whe...

1 answer  ·  posted 4y ago by Canina‭  ·  last activity 4y ago by sau226‭

#4: Post edited by user avatar sau226‭ · 2020-10-15T08:39:59Z (about 4 years ago)
There's a variety of actions which results in a display page saying "403 FORBIDDEN"; for example, accessing a deleted question without sufficient reputation to view deleted questions, including when not signed in.

However, the actual HTTP response code for that, as used in the HTTP response, is not 403, but 401.

The two are similar, but distinct. [RFC 7231 section 6.5.3](https://tools.ietf.org/html/rfc7231#section-6.5.3) defines the 403 response code as:

> The 403 (Forbidden) status code indicates that the server understood
> the request but refuses to authorize it.  A server that wishes to
> make public why the request has been forbidden can describe that
> reason in the response payload (if any).
>
> If authentication credentials were provided in the request, the
> server considers them insufficient to grant access.  The client
> SHOULD NOT automatically repeat the request with the same
> credentials.  The client MAY repeat the request with new or different
> credentials.  However, a request might be forbidden for reasons
> unrelated to the credentials.

...while [RFC 7235 section 3.1](https://tools.ietf.org/html/rfc7235#section-3.1) defines the 401 response code as:

> The 401 (Unauthorized) status code indicates that the request has not
> been applied because it lacks valid authentication credentials for
> the target resource.  The server generating a 401 response MUST send
> a WWW-Authenticate header field (Section 4.1) containing at least one
> challenge applicable to the target resource.

In this case, near as I can tell, no WWW-Authenticate header is included in the response, so the Codidact software is in violation of the HTTP spec.

Usually, a proper 401 response will result in the browser beginning a HTTP authentication flow, which is almost certainly *not* desirable in this case.

**All this to say that *especially* if the response page prominently displays a HTTP status code, that should match the actual response code in the HTTP response; and that the correct status code (403 or possibly 404) should be used when attempting to view deleted posts without sufficient permission.**
#3: Post edited by user avatar luap42‭ · 2020-10-15T08:39:03Z (about 4 years ago)
#2: Post edited by user avatar Canina‭ · 2020-08-29T09:16:26Z (about 4 years ago)
  • "Forbidden" ("403") page actually uses HTTP status 401 Unauthorized instead of 403 Forbidden
  • "Forbidden" ("403") page actually uses HTTP status 401 Unauthorized instead of 403 Forbidden for deleted posts without permission
#1: Initial revision by user avatar Canina‭ · 2020-08-29T09:15:41Z (about 4 years ago)
"Forbidden" ("403") page actually uses HTTP status 401 Unauthorized instead of 403 Forbidden
There's a variety of actions which results in a display page saying "403 FORBIDDEN"; for example, accessing a deleted question without sufficient reputation to view deleted questions, including when not signed in.

However, the actual HTTP response code for that, as used in the HTTP response, is not 403, but 401.

The two are similar, but distinct. [RFC 7231 section 6.5.3](https://tools.ietf.org/html/rfc7231#section-6.5.3) defines the 403 response code as:

> The 403 (Forbidden) status code indicates that the server understood
> the request but refuses to authorize it.  A server that wishes to
> make public why the request has been forbidden can describe that
> reason in the response payload (if any).
>
> If authentication credentials were provided in the request, the
> server considers them insufficient to grant access.  The client
> SHOULD NOT automatically repeat the request with the same
> credentials.  The client MAY repeat the request with new or different
> credentials.  However, a request might be forbidden for reasons
> unrelated to the credentials.

...while [RFC 7235 section 3.1](https://tools.ietf.org/html/rfc7235#section-3.1) defines the 401 response code as:

> The 401 (Unauthorized) status code indicates that the request has not
> been applied because it lacks valid authentication credentials for
> the target resource.  The server generating a 401 response MUST send
> a WWW-Authenticate header field (Section 4.1) containing at least one
> challenge applicable to the target resource.

In this case, near as I can tell, no WWW-Authenticate header is included in the response, so the Codidact software is in violation of the HTTP spec.

Usually, a proper 401 response will result in the browser beginning a HTTP authentication flow, which is almost certainly *not* desirable in this case.

**All this to say that *especially* if the response page prominently displays a HTTP status code, that should match the actual response code in the HTTP response; and that the correct status code (403 or possibly 404) should be used when attempting to view deleted posts without sufficient permission.**