I'm currently returning 401 Unauthorized whenever I encounter a validation failure in my Django/Piston based REST API application.
Having had a look at the HTTP Status Code Registry
I'm not convinced that this is an appropriate code for a validation failure, what do y'all recommend?
- 400 Bad Request
- 401 Unauthorized
- 403 Forbidden
- 405 Method Not Allowed
- 406 Not Acceptable
- 412 Precondition Failed
- 417 Expectation Failed
- 422 Unprocessable Entity
- 424 Failed Dependency
Update: "Validation failure" above means an application level data validation failure, i.e., incorrectly specified datetime, bogus email address etc.
Best Answer
If "validation failure" means that there is some client error in the request, then use HTTP 400 (Bad Request). For instance if the URI is supposed to have an ISO-8601 date and you find that it's in the wrong format or refers to February 31st, then you would return an HTTP 400. Ditto if you expect well-formed XML in an entity body and it fails to parse.
(1/2016): Over the last five years WebDAV's more specific HTTP 422 (Unprocessable Entity) has become a very reasonable alternative to HTTP 400. See for instance its use in JSON API. But do note that HTTP 422 has not made it into HTTP 1.1, RFC-7231.
Richardson and Ruby's RESTful Web Services contains a very helpful appendix on when to use the various HTTP response codes. They say:
and: