One company (who I will refer to as Company NNN from here forth), has a REST API. At my company, we use Company NNN's REST API to provide some content to our end users.
If I send the request with the User-Agent header field filled in, the REST API returns valid JSON data. If I send the request without the User-Agent header field filled in, the REST API returns 500 Internal Server Error. Upon notifying Company NNN of this, their response to me was that specifying a User-Agent is best practice.
Shouldn't this API be able to return valid JSON even without a User-Agent request header?
Best Answer
REST is not a specification therefore there are no hard and fast rules for REST API. Company NNN is allowed to make any decisions they want when designing their REST API. It's not a defect if they intentionally want to enforce clients specify a user agent.
I think it was a good idea to report it because it is a bit unusual for a REST API to enforce a user agent because REST API are consumed by programmatic clients that typically don't set a user agent by default.
Secondly 500 is the incorrect status for an error of this kind. It likely signifies there is a bug in their system. If it were intentional that user agent must be specified I would expect a
400 Bad Requestresponse with a meaningful message.User agent could be useful for them to monitor the source of unauthenticated requests and group them in a meaningful way but the fact that they're returning a 500 internal server error (and I assume no helpful message) gives me the impression this is actually a bug. Their response is classic, "it's not a bug it's a feature".