Welcome to Codidact Meta!

Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.

"Forbidden" ("403") page actually uses HTTP status 401 Unauthorized instead of 403 Forbidden for deleted posts without permission


There's a variety of actions which results in a display page saying "403 FORBIDDEN"; for example, accessing a deleted question without sufficient reputation to view deleted questions, including when not signed in.

However, the actual HTTP response code for that, as used in the HTTP response, is not 403, but 401.

The two are similar, but distinct. RFC 7231 section 6.5.3 defines the 403 response code as:

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

...while RFC 7235 section 3.1 defines the 401 response code as:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

In this case, near as I can tell, no WWW-Authenticate header is included in the response, so the Codidact software is in violation of the HTTP spec.

Usually, a proper 401 response will result in the browser beginning a HTTP authentication flow, which is almost certainly not desirable in this case.

All this to say that especially if the response page prominently displays a HTTP status code, that should match the actual response code in the HTTP response; and that the correct status code (403 or possibly 404) should be used when attempting to view deleted posts without sufficient permission.

Why should this post be closed?


1 answer


Thanks for bringing this to the community's attention.

This proposed change has been made and will be live with the next deploy.

1 comment

"This proposed change has been made and is live." nope, merged 10/12, pending deployment; live is rev 4a161f6b dated from 10/04 ‭.                                                .‭ 11 days ago

Sign up to answer this question »