It was thus said that the Great Jason McBrayer once stated: > Sean Conner <sean at conman.org> writes: > > > I'm currently returning a "Bad Request" for this, if the protocol, host > > and port don't match what is currently configured on my server. The other > > possible status is "Proxy Request Refused". My server doesn't do proxy > > requests. What should the proper status code be? Is "Bad Request" fine > > here? > > In my opinion, the Most Correct response to return would be "Proxy > Request Refused". If they had made the same request to a the right > server or if this server had been configured differently, it would have > succeeded, so the request isn't malformed or anything. But Bad Request > is probably the next-best response; Not Found would also make a kind of > sense. Hmmm ... if my sever did any proxying, then yes, "Proxy Request Refused" would make sense. "Not found" doesn't, because the resource could be found, not just through me. I suppose I could serve up "Proxy Request Refused" ... > > So my question here, does it make sense to have the order be: > > > > check request > > check authorization > > check redirection > > check handlers > > > > to prevent possible leaking of data? I'm thinking yes, but wouldn't mind > > seeing a discussion. > > > > I think this is good. I don't know that there's an equivalent best > practices in HTTP; I think this is all pretty implementation-defined. I only thought of that as I refactoring my server code. I think I will make that change as it feels right to me as well. Thanks. -spc
---
Previous in thread (2 of 4): 🗣️ Jason McBrayer (jmcbray (a) carcosa.net)
Next in thread (4 of 4): 🗣️ Michael Lazar (lazar.michael22 (a) gmail.com)