TL;DR: You should respond with Error 400 if the URL is malformed or the parameters fail validation rather than with Error 404.
If you’ve ever run a website which reports 404ed requests to the admin, you’ve probably noticed that, every now and then, GoogleBot gets it into its head that it can do a better job if it tries guessed, nonsense URLs to try to tease hidden pages out of your site.
The big problem is that, most of the time, it’s guessing such utter nonsense that you have to wonder about the competence of whoever wrote it. (Not to mention that it’s effectively punishing the whole web because some sites are poorly structured)
That’s where HTTP Error 400 comes in. Error 404 is so overused as a generic “nope” response that it doesn’t say anything about why the request couldn’t be serviced.
By sending Error 400, you tell the requesting agent that the request couldn’t be serviced, not just because nothing matched, but because the URL given doesn’t meet the minimum requirements to be tested for a match. (Sort of like if you were to write “If-Modified-Since: pineapple” in your HTTP headers)
That means that, if someone or something is trying to guess URLs, it at least has enough information to learn the constraints for URL validity so it can only try to guess ones that have the potential to exist.
Given that, you might be wondering how to implement Error 400 responses. The simplest solution is just to tie them into your URL routing and input validation.
- Did the URL router fail to find a matching route? Return Error 400.
- Did the parameters fail to pass input validation (eg. “bike” in an integer field)? Return error 400.
- Did the URL request an object ID that doesn’t exist? Return Error 404.
- (optional) Did the URL request an object ID that has been flagged as deleted (with no replacement on record) but kept around to preserve relational integrity? Return Error 410 (Gone).
With modern web frameworks, this is often ridiculously simple to concisely retrofit and, as with Error 404, you can still return custom human-readable messages.
Error 400: The Web’s Most Under-Appreciated Response by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.
All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.