>> Can someone explain where one should use a 403 response versus a 400
>> response? Is using 400 only for mailformed requests, and 400 for
>> requests with a command that isn't understood a reasonable
>> interpretation?
and Paul Phillips responded:
> My spec indicates that 403 implies greater server understanding than 400
> does. A 403 means the server tried to service the request, and failed,
> while a 400 means that the server knew based on the request that it would
> fail.
Ummmm, almost. 400 Bad Request indicates that the server was unable
to understand the request due to it being malformed. 403 Forbidden
indicates that the server *did* understand the request, but refuses to
service it for some reason that remains unknown to the client.
> There does seem to be some abiguity here, but both codes instruct the
> client not to repeat the request, so I don't think it's critical.
There is a certain amount of overlap between 400 and all 4xx responses,
but I don't consider that to be ambiguous. I'll change the spec so
that the purpose of the two codes is clarified.
Hmmmm, I could just change the example Reason Phrases to
400 You screwed up
403 Piss off
;-)
....Roy T. Fielding Department of ICS, University of California, Irvine USA
<fielding@ics.uci.edu>
<URL:http://www.ics.uci.edu/dir/grad/Software/fielding>