skip to Main Content

I wrote an API for social app in Rails. This app likes Facebook, users can block other users. If user A block user B, user B can’t view profile page of user A. So what is the best HTTP code status I should return: 404, 403, 204 or 200(render nothing) ?

2

Answers


  1. I much prefer to use 403 Forbidden

    The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

    If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

    An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

    https://www.rfc-editor.org/rfc/rfc7231#section-6.5.3

    Login or Signup to reply.
  2. A best practice for this is 403, however doing so will expose the fact that user has been blocked. If you don’t want that, you can return 404. Github, as an example, for unauthorized access to private repos always returns 404.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search