I am designing an API and a requirement to access some endpoints is the Origin header must be set in the request. I am rejecting requests that either (a) are missing the header altogether or (b) are sending requests from an origin that is not in a specified white/allowlist.
When I reject requests that do not meet these criteria, what is the correct HTTP error code to use? I initially thought 401 or 403, but there's not any true authentication/authorization issue in these cases. 400 feels too generic. Is there a code more specific to this scenario?
CodePudding user response:
The 400 may feel "too generic" but I think it's for this exact scenario where you are rejecting incomplete or otherwise bad requests.