Web API return 403 Forbidden 是否应该有端点?
Should Web API return 403 Forbidden or not have an endpoint at all?
我有一个网络 API,对于一个模型,我只允许通过 ID [GET] api/models/{modelId}
或更新 [PUT] api/models/{modelId}
获取。 API 不支持 POST
、DELETE
或获取集合 ([GET] api/models
)。
在Controller
和returnForbid()
403状态下应该还有这些方法吧?
或者我应该简单地删除这些方法吗?
HTTP response status codes 的完整列表可以帮助您确定最合适的回复。
403 Forbidden
不符合您描述的情况:
The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.
另一方面,405 Method Not Allowed
似乎适合这种情况:
The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods, GET
and HEAD
, must never be disabled and should not return this error code.
Note:
The server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.
我有一个网络 API,对于一个模型,我只允许通过 ID [GET] api/models/{modelId}
或更新 [PUT] api/models/{modelId}
获取。 API 不支持 POST
、DELETE
或获取集合 ([GET] api/models
)。
在Controller
和returnForbid()
403状态下应该还有这些方法吧?
或者我应该简单地删除这些方法吗?
HTTP response status codes 的完整列表可以帮助您确定最合适的回复。
403 Forbidden
不符合您描述的情况:
The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.
另一方面,405 Method Not Allowed
似乎适合这种情况:
The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods,
GET
andHEAD
, must never be disabled and should not return this error code.
Note:
The server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.