c# - Why HttpRequestValidationException has 500 http error code instead of 400? -
when tested web-app based on mvc5 found httprequestvalidationexception
returns 500 gethttpcode()
.
catch exception during security testing of requests server. mvc performs request validation , throws exception, processed in application_error
, got 500 code returned, but, in fact, if user passed wrong input server should return 400 error (bad request). don't understand why exception has 500 error. wrong ?
there 4 reasons why 500
might considered more appropriate.
one isn't clear when
httprequestvalidationexception
happens did wrong thing. user quite sent incorrect, it's possible server incorrectly rejected fine. considering default behaviour on many requests could malicious, it's probable majority of cases thrown in response non-malicious requests (the user isn't actively trying site harm) fall category. hence either should consider 4xx or 5xx , 5xx assumption (don't blame client when aren't sure it's client's fault).when happens in non-malicious case needs attention developer, true of 4xx codes (a 404 might need developer-attention because 404 caused bad link on same site, might not). sort of feedback 1 gets 500 responses more appropriate.
the general model asp.net started pretty mapped exceptions 500 responses, make sense lot of time. mvc has (sensibly) replaced more exceptions map other error conditions,
httprequestvalidationexception
predates mvc.
now points made, can't agree of them. i'd still httprequestvalidationexception
means client error , if mis-identified such, still identified such, it's 400.
however, final reason is:
- while description of 400 status in rfc 7231 seem quite cover such requests, rfc 7231 published in 2014.
httprequestvalidationexception
, handling of goes @ least 2003, when rfc 2616 relevant rfc. under description of 400 in rfc, 400 read relating requests actual http message mal-formed. while people did use 400 more catch-all "client did wrong" response, wasn't clear doing correct.
even though gives reason why 500 may have been more appropriate reaction 1.5 years ago, not why should remain. changing though have backwards-compatibility implications may not idea.
still, if given application writing makes conscious use of httprequestvalidationexception
(rather overriding entirely own validation uses different approach) it's sensible catch such exceptions , send 400 rather 500.
Comments
Post a Comment