Let’s say we have an AWS application load balancer that has 2 rules based on host headers and a default rule for when the previous 2 rules’ conditions aren’t met.
What is the most appropriate HTTP status code to return for the default rule? Hitting the load balancer directly (or via a hostname not listed in the 2 non-default rules) won’t return anything, so 404 seems like it could be appropriate. However, would a 5xx error (e.g. 500, 502 or 503) be more appropriate?
3
Answers
Found a few similar questions where the answers suggest a 400 Bad Request may be applicable:
However, since the request is syntactically well-formed, and the host header exists and is valid (as in, it's not an invalid/malformed URI), a 404 feels more appropriate. This is also reflected by the fact that an Azure Application Gateway returns a 404 when the host header doesn't match any configured listener rules (see here).
The most appropriate status code in this case would be "406". The official MDN document says: "This response is sent when the web server, after performing server-driven content negotiation, doesn’t find any content that conforms to the criteria given by the user agent."
MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/406
Though it isn’t part of the HTTP spec, HTTP client error code 444 is often used for this situation.
You should just drop the connection with no response as this type of traffic is typically malicious. If you need to return a response, a 404 or 401 might be more desirable as it is more opaque to the client and won’t indicate to a crawler that there is a host header mismatch.