3

I'm implementing a custom HTTP 1.1 server. According to Page 35 of RFC 2616, an HTTP Request URI may take one of four forms. One of these forms is "absolute-URI", which is exactly what it sounds like.

Let's say I have a server at http://www.example.com. My server is sent the following request:

GET http://www.google.com.au HTTP/1.1
Host: www.example.com

What response should I send for a request like this? I want to say maybe 406 Not Acceptable or 409 Conflict. Is there a standard way to respond to this?

2 Answers2

2

  • If you want to reject the request, I'd go with

    400 Bad Request

    The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

    400 is the catch-all error for cases where the client made a mistake and no specific error is applicable.

  • If you want to accept the request and show some of your content, I would not silently serve the contents of your "default" domain. I'd rather use a 3xx redirect to your default domain.

What I would not use:

  • HTTP 404 because it gives the client the impression that it talked to the correct server where the file is missing.
  • HTTP 403 for similar reasons as 404 and because it fits even less. 406 Not Acceptable

  • HTTP 406 Not Acceptable

    The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.

    Your denial is unrelated to accept headers.

  • HTTP 409 Conflict

    Indicates that the request could not be processed because of conflict in the request, such as an edit conflict in the case of multiple updates.

    No conflicting changes here. A client receiving this code might refetch the data and apply its changes to the new version. This clearly doesn't fit your situation.

CodesInChaos
  • 5,717
1

First, RFC 2616 is obsolete; you should be referring to RFC 7230 and RFC 7231 instead.

(RFC 7230 § 5.5) HTTP servers which receive the absolute form of a URI in the request-line ignore the Host: header and use only that absolute URI for any further processing. The server then has to decide what to do with it.

Existing general purpose HTTP servers use virtual hosts to provide service for several different hostnames, and if the given hostname does not match an existing virtual host, they will attempt to serve it with the default virtual host. Unless the server has been explicitly configured to proxy such requests, but this isn't in your scenario.

While the RFC does note that this situation can occur, it does not mandate a particular response. If you are implementing a server capable of serving virtual hosts, you can do what other servers do and serve it with the default virtual host. Or you can decide to refuse such requests and explicitly serve a 403 Forbidden. (RFC 7231 § 6.5.3)

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

The 406 and 409 errors you mention aren't intended for this scenario.

(RFC 7231 § 6.5.6) 406 is intended for the situation when the server found one or more documents matching the URL, but none of them have a MIME type matching any type given in the request's Accept header.

(RFC 7231 § 6.5.8) 409 is intended for situations in which the data being uploaded can't be processed due to a conflict with existing data, such as a version control merge conflict.

Community
  • 1
Michael Hampton
  • 2,970
  • 2
  • 18
  • 18