Sean Conner <sean at conman.org> writes:
> I'm currently returning a "Bad Request" for this, if the protocol, host
> and port don't match what is currently configured on my server. The other
> possible status is "Proxy Request Refused". My server doesn't do proxy
> requests. What should the proper status code be? Is "Bad Request" fine
> here?
In my opinion, the Most Correct response to return would be "Proxy
Request Refused". If they had made the same request to a the right
server or if this server had been configured differently, it would have
succeeded, so the request isn't malformed or anything. But Bad Request
is probably the next-best response; Not Found would also make a kind of
sense.
> So my question here, does it make sense to have the order be:
>
> check request
> check authorization
> check redirection
> check handlers
>
> to prevent possible leaking of data? I'm thinking yes, but wouldn't mind
> seeing a discussion.
>
I think this is good. I don't know that there's an equivalent best
practices in HTTP; I think this is all pretty implementation-defined.
--
Jason McBrayer | ?Strange is the night where black stars rise,
jmcbray at carcosa.net | and strange moons circle through the skies,
| but stranger still is lost Carcosa.?
| ? Robert W. Chambers,The King in Yellow
---
Previous in thread (1 of 4): 🗣️ Sean Conner (sean (a) conman.org)
Next in thread (3 of 4): 🗣️ Sean Conner (sean (a) conman.org)