httpresponse http-status-code-403 http-status-code-400

What is the concern about bad request(400) or forbidden(403)?

I am implementing an endpoint which offer some secret data and I want to make a simple verify mechanism. Which status should I response when user does not have the correct crediential?

400? 403? Or something else?

thanks.

Solution

You should use 403, HTTP status code 403 responses are the result of the web server being configured to deny access to the requested resource by the client.

See HTTP 403

How do I return NotFound() IHttpActionResult with an error message or exception?
Which file types can be viewed in browser (inline, without a plugin)
HTTP Response code for "Please wait a little bit"
Should I return a status code or throw an exception in .Net Web Api 2
Extract video data from api response using PHP
Azure function HTTP Request 404 when published to Azure through Docker and Visual Studio
Modify HTTP responses from a Chrome extension
AFNetwork: Getting "finished with error - code: -999" warning
Blob could not be loaded from a localhost as src blob:
Typescript and AxiosError: Axios has two nested responses instead of one when there is an AxiosError
Receiving error 'The request message was already sent' when using Polly
SSL slow. Establishing secure connection taking too long
What does it mean when an HTTP request returns status code 0?
Content-Disposition filename in Chinese not supported
org.apache.http.ProtocolException: Target host is not specified
What should HTTP 201 response body be when responding to a POST request with large data?
Extract metadata from website ASP.NET MVC3
Exception in main java.lang.ClassCastException:class java.lang.String can't be cast to class
Flutter http.Response get wrong character value
Is there a website that returns 500 (and other) HTTP response codes for testing?
Has HttpContent.ReadAsAsync<T> method been superceded in .NET Core?
flask REST-API: Wrong value of number in response
How to provide canonical URL with Django HttpResponseRedirect?
C# Get Byte Array from HttpResposeMessage
Cast httpResponse to ResponseEntity is null C#
After invalid ASP.NET MVC server login, how can I capture the error text in the returned Json response and display in the Angular client?
How to write to HttpContext.Response.Body on .NET Core 3.1.x
Mocking fetch return response using Jest in Typescript
In Firefox DevTools Network tab, how to see only failed requests?
Failed to execute 'json' on 'Response': body stream already read