Web API return 403 Forbidden 是否应该有端点?

Should Web API return 403 Forbidden or not have an endpoint at all?

我有一个网络 API,对于一个模型,我只允许通过 ID [GET] api/models/{modelId} 或更新 [PUT] api/models/{modelId} 获取。 API 不支持 POSTDELETE 或获取集合 ([GET] api/models)。

Controller和returnForbid()403状态下应该还有这些方法吧?

或者我应该简单地删除这些方法吗?

HTTP response status codes 的完整列表可以帮助您确定最合适的回复。

403 Forbidden不符合您描述的情况:

The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.

另一方面,405 Method Not Allowed似乎适合这种情况:

The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods, GET and HEAD, must never be disabled and should not return this error code.

Note:

The server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.