Menu
I am wondering what the best practice for the following scenario is: I have an application where an agent authenticates on behalf of a customer.
If the customer is banned, what is the best practice for the http status code I return them?
When I return a 403 it seems as if the request they made was invalid, it does not convey to the agent the user is banned. In the same sense I do not want to send a 401 unless the credentials used to make the request were invalid.
I have read a few answers and the spec and haven't found what I was looking for. I was leaning towards a custom 2XX response i.e (230) or something like 406 or 451.
Looking forward to your input.
Resources used:
512
In my opinion, you should stay with the standard: 403.
From: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
10.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
Returning FORBIDDEN is very straight forward as the the other codes may be perceived as ambiguous.
149
answered Oct 25 '25 13:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
