HTTP status code for "could not fulfill request for *known* reason"
Don't use the RCF 2616 as reference anymore
The RFC 2616 is no longer relevant nowadays and anyone using such document as reference should stop right away. Quoting Mark Nottingham who, at the time of writing, co-chairs the IETF HTTP and QUIC Working Groups:
Don’t use RFC2616. Delete it from your hard drives, bookmarks, and burn (or responsibly recycle) any copies that are printed out.
The old RFC 2616 has been supplanted by the following documents that, together, define the HTTP/1.1 protocol:
- RFC 7230: Message Syntax and Routing
- RFC 7231: Semantics and Content
- RFC 7232: Conditional Requests
- RFC 7233: Range Requests
- RFC 7234: Caching
- RFC 7235: Authentication
If you are looking for status code definitions, then the RFC 7231 is the document you should refer to.
What's the known or expected reason?
Depending on the known or expected reason, you can return the proper status code:
- Couldn't the request be fulfilled because the client is requesting a resource that does not exist? Return a
404. - Is it an authorization problem? Go for
403. - Using HTTP authentication and the credentials are not valid? Return a
401. - Doesn't the server support the functionality required to fulfil the request? Use
501. - Couldn't the request be completed due to a conflict with the current state of the target resource? So
409should be returned. - Has the target resource been assigned a new permanent URI? The
301status code is the right choice. - And so on...
Decision charts
For more details, check the RFC 7231 and also have a look at the following decision chart that Michael Kropat put together:
The status codes are grouped into three rough categories:
Start here:
Choosing 2xx and 3xx status codes
Choosing 4xx status codes
Choosing 5xx status codes
The answer lies in the defined semantics of the other http codes. For instance, for a protected page, an authentication failure is an expected error, so the 401 is an appropriate response. One could even argue that 401 is a legal response, not even an error code, four that situation. And that distinction may be the semantic reason that it is probably ambiguous to decide whether an expected error code is actually an error or just legal result of the request.