Home > Net >  What's the proper HTTP error code to use when request is missing origin header?
What's the proper HTTP error code to use when request is missing origin header?

Time:04-04

I am designing an API and a requirement to access some endpoints is the Origin header must be set in the request. I am rejecting requests that either (a) are missing the header altogether or (b) are sending requests from an origin that is not in a specified white/allowlist.

When I reject requests that do not meet these criteria, what is the correct HTTP error code to use? I initially thought 401 or 403, but there's not any true authentication/authorization issue in these cases. 400 feels too generic. Is there a code more specific to this scenario?

CodePudding user response:

The 400 may feel "too generic" but I think it's for this exact scenario where you are rejecting incomplete or otherwise bad requests.

  •  Tags:  
  • http
  • Related