[cgiapp] Best practice for CGI errors

Sean Davis sdavis2 at mail.nih.gov
Mon Sep 22 14:33:22 EDT 2008


On Mon, Sep 22, 2008 at 2:07 PM, Jaldhar H. Vyas <jaldhar at braincells.com> wrote:
> On Mon, 22 Sep 2008, Mark Knoop wrote:
>
>> If one wants to return an error to the client because they have not
>> included the correct parameters for the CGI request, should one use one of
>> the HTTP status codes and if so which one? And then is it ok/sensible to
>> include an error message in the body?
>>
>
> If you've drunk the REST koolaid (or like me drained the entire pitcher :-)
> ) you should always be thinking of leveraging HTTP features as much as
> possible and that would mean using status codes.  I would suggest 400 ('Bad
> request')
>
> An error message in the body is good for providing additional info to humans
> but the API of your web service should not depend on it in any way.

And be careful to not leak information about your application or
blindly echo "bad input" back as part of the error, as this is a good
way to be involved in cross-site-scripting attacks.

Sean


More information about the cgiapp mailing list