1. RESTful Web Services

2. What is RESTful?

3. Introduction to REST
An architectural style (extends client-server) introduced by Roy Fielding
REST stands for Representational State Transfer
It is an architectural pattern for developing web services as opposed to a specification.
REST web services communicate over the HTTP specification, using HTTP vocabulary:
Methods (GET, POST, etc.)
HTTP URI syntax (paths, parameters, etc.)
Media types (xml, json, html, plain text, etc)
HTTP Response codes.

4. Introduction to REST Representational State Transfer
Clients possess the information necessary to identify, modify, and/or delete a web resource.
State
All resource state information is stored on the client.
Transfer
Client state is passed from the client to the service through HTTP.

5. In a Nutshell
REST is about resources and how to represent resources in different ways.
REST is about client-server communication.
REST is about how to manipulate resources.
REST offers a simple, interoperable and flexible way of writing web services that can be very different from other techniques.
Comes from Roy Fielding’s Thesis study.

6. REST is NOT!
A protocol.
A standard.
A replacement for SOAP.

7. REST Representational State Transfer
Architectural style (technically not a standard)
Idea: a network of web pages where the client progresses through an application by selecting links
When client traverses link, accesses new resource (i.e., transfers state)
Uses existing standards, e.g., HTTP
REST is an architecture all about the Client-Server communication.

8. HTTP-REST Request Basics
The HTTP request is sent from the client.
Identifies the location of a resource.
Specifies the verb, or HTTP method to use when accessing the resource.
Supplies optional request headers (name-value pairs) that provide additional information the server may need when processing the request.
Supplies an optional request body that identifies additional data to be uploaded to the server (e.g. form parameters, attachments, etc.)
Resource – identified by a URL (or uniform resource locator)
Method – the action verb to perform on a resource
e.g. GET, POST, PUT, DELETE, etc.
Request Headers – name-value pairs of meta-information about the request
e.g. Content types expected by the client
Request Body – data to be streamed from the client to the server
e.g. Attachments, form parameters, etc.

9. HTTP-REST Request Basics
Sample Client Requests:
A typical client GET request:
A typical client POST request:
GET /view?id=1 HTTP/1.1
User-Agent: Chrome
Accept: application/json
[CRLF]
Requested Resource (path and query string)
Request Headers
(no request body)
POST /save HTTP/1.1
User-Agent: IE
Content-Type: application/x-www-form-urlencoded
[CRLF]
name=x&id=2
Requested Resource (typically no query string)
Note: A REST web service may return the representation of a resource in many formats (HTML, XML, JSON, binary).
It is the client’s responsibility to use the “Accept” request header to identify the expected content type of the returned resource.
Request Headers
Request Body (e.g. form parameters)

10. HTTP-REST Response Basics
The HTTP response is sent from the server.
Gives the status of the processed request.
Supplies response headers (name-value pairs) that provide additional information about the response.
Supplies an optional response body that identifies additional data to be downloaded to the client (html, xml, binary data, etc.)
Status – An HTTP status code and status message
e.g. 404 Not Found, 200 OK
Response Headers – name-value pairs of meta-information about the response
e.g. Content-Type
Response Body – Additional data to be streamed from the server to the client
e.g. HTML document, XML document, binary data

11. HTTP-REST Response Basics
Sample Server Responses:
HTTP/ OK
Content-Type: text/html
Content-Length: 1337
[CRLF]
<html>
<!-- Some HTML Content. -->
</html>
Response Status
Response Headers
Response Body (content)
HTTP/ Internal Server Error
Response Status
HTTP/ Created
Location: /view/7
[CRLF]
Some message goes here.
Response Status
Response Header
Response Body

12. HTTP-REST Vocabulary GET – Requests a resource at the request URL
HTTP Methods supported by REST:
GET – Requests a resource at the request URL
Should not contain a request body, as it will be discarded.
May be cached locally or on the server.
May produce a resource, but should not modify on it.
POST – Submits information to the service for processing
Should typically return the new or modified resource.
PUT – Add a new resource at the request URL
DELETE – Removes the resource at the request URL
OPTIONS – Indicates which methods are supported
HEAD – Returns meta information about the request URL
HTTP Methods:
GET – The same request URL should return the same resource every time. The request URL should represent a web resource.
POST – A generic method for submitting information to the service. The outcome is defined by the service. The request URL need not represent a web resource.
PUT – Adds a new resource at the request URL. The resource should then be available through a GET request using the same request URL.
DELETE – Removes the resource at the request URL. The resource should no longer be available via a GET request at that URL.
OPTIONS – Indicates which HTTP methods are supported at the request URL. Useful for identifying
HEAD – Same as GET but only returns meta-information about the resource. The response body will be empty. Useful for requesting information about a resource without having to request the resource itself.
Other HTTP verbs are NOT typically supported in a REST service.
The above guidelines are required if you wish to remain compliant with the HTTP specification
Actual usage of HTTP verbs may vary from implementation to implementation.
When producing a service for consumption by a third-party, it is recommended that the service adhere to the HTTP specification
Difference between POST and PUT:
“The fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI. The URI in a POST request identifies the resource that will handle the enclosed entity. That resource might be a data-accepting process, a gateway to some other protocol, or a separate entity that accepts annotations. In contrast, the URI in a PUT request identifies the entity enclosed with the request -- the user agent knows what URI is intended and the server MUST NOT attempt to apply the request to some other resource. If the server desires that the request be applied to a different URI, it MUST send a 301 (Moved Permanently) response; the user agent MAY then make its own decision regarding whether or not to redirect the request.” – Emphasis added, W3C HTTP Method specification, referenced at end of presentation
Methods Naving No Request Body:
GET, DELETE, OPTIONS, HEAD
Methods Having a Request Body:
POST – body may contain form parameters or other information to be uploaded to the service
PUT – body contains the resource to be represented at the request URL
Methods Supplying No Response Body
HEAD
OPTIONS

13. HTTP-REST Vocabulary
A typical HTTP REST URL:
The protocol identifies the transport scheme that will be used to process and respond to the request.
The host name identifies the server address of the resource.
The path and query string can be used to identify and customize the accessed resource.
protocol
host name
path to a resource
query string

14. HTTP and REST
A REST service framework provides a controller for routing HTTP requests to a request handler according to:
The HTTP method used (e.g. GET, POST)
Supplied path information (e.g /service/listItems)
Query, form, and path parameters
Headers, cookies, etc.

15. REST Characteristics
Resources: Application state and functionality are abstracted into resources.
URI: Every resource is uniquely addressable using URIs.
Uniform Interface: All resources share a uniform
interface for the transfer of state between client and resource, consisting of
Methods: Use only HTTP methods such as GET, PUT, POST, DELETE, HEAD
Representation
Protocol (The constraints and the principles)
Client-Server
Stateless
Cacheable
Layered

16. HTTP Methods GET – safe, idempotent, cacheable PUT - idempotent POST
DELETE - idempotent
HEAD
OPTIONS

17. CRUD Operations Mapped to HTTP Methods in RESTful Web Services
Create
POST
Read
GET
Update
PUT or POST
Delete
DELETE

18. Mapping

19. Example API Mapping

21. REST (Representational State Transfer)

22. Representations Represent to JSON Accept: application/json
Represent to XML
Accept: text/xml

23. What is JSON JSON (Java Script Object Notation)
Exchange data between JavaScript and server
Like array ?

24. Why JSON? Learn more at Stormpath.com Ubiquity Simplicity Readability
Scalability
Flexibility
Learn more at Stormpath.com

25. REST VS SOAP (Call)

26. REST VS SOAP (Control)

27. REST VS SOAP (Link)

28. REST VS SOAP (Cache)

29. REST VS SOAP (Manage)

30. Resources Learn more at Stormpath.com
Nouns, not Verbs Coarse Grained, not Fine Grained Architectural style for use-case scalability
Learn more at Stormpath.com

31. What If? Learn more at Stormpath.com
/getAccount /createDirectory /updateGroup /verifyAccount Address
Learn more at Stormpath.com

32. What If? Learn more at Stormpath.com
/getAccount /getAllAccounts /searchAccounts /createDirectory /createLdapDirectory /updateGroup /updateGroupName /findGroupsByDirectory /searchGroupsByName /verifyAccount Address /verifyAccount AddressByToken … Smells like bad RPC. DON’T DO THIS.
Learn more at Stormpath.com

33. Links Between Resources

34. Caching Control with HTTP Header
Application
Date
Date and time when this representation was generated.
Last Modified
Date and time when the server last modified this representation.
Cache-Control
The HTTP 1.1 header used to control caching.
Expires
Expiration date and time for this representation. To support HTTP 1.0 clients.
Age
Duration passed in seconds since this was fetched from the server. Can be inserted by an intermediary component.

35. Directives in a Cache-Control
Application
Public
The default. Indicates any component can cache this representation.
Private
Intermediary components cannot cache this representation, only client or server can do so.
no-cache/no-store
Caching turned off.
max-age
Duration in seconds after the date-time marked in the Date header for which this representation is valid.
s-maxage
Similar to max-age but only meant for the intermediary caching.
must-revalidate
Indicates that the representation must be revalidated by the server if max-age has passed.
proxy-validate
Similar to max-validate but only meant for the intermediary caching.

36. REST API Design

37. There are only two hard things in computer science: cache invalidation and naming thing Martin fowler

38. What is API

39. API Application Programming Interface Source code interface
For library or OS
Provides services to a program
At its base, like a header file
But, more complete

40. ทำไม API Design ถึงสำคัญ?
Company View
Can be asset – big user investment in learning and using
Bad design can be source of long-term support problems
เมื่อนำมาใช้ก็ยากที่จะเปลี่ยนแปลง
โดยเฉพาะอย่างยิ่งถ้ามีผู้ใช้หลายคน
Public APIs –มีโอากาสปรับแก้ได้ยาก

41. ลักษณะของ Good APIs ง่ายต่อการเรียน ง่ายต่อการใช้แม้จะไม่มีเอกสาร
ยากที่จะผิด
ง่ายต่อการอ่านและการบำรุงรักษารหัสที่ใช้มัน
ที่มีประสิทธิภาพเพียงพอที่จะตอบสนองความต้องการ
ง่ายต่อการขยาย

42. Designing an API Gather requirements Create short specification Hints:
Don’t gather solutions
Extract true requirements
Collect specific scenarios where it will be used
Create short specification
Consult with users to see whether it works
Flesh it out over time
Hints:
Write plugins/use examples before fully designed and implemented
Expect it to evolve

43. Broad Issues to Consider in Design
1. Interface
The classes, methods, parameters, names
2. Resource Management
How is memory, other resources dealt with
3. Error Handling
What errors are caught and what is done
Information Hiding
How much detail is exposed
Impacts all three of the above

44. 1. Interface Principles Simple General Regular Predictable Robust
Adaptable

45. 2. Resource Management Determine which side is responsible for
Initialization
Maintaining state
Sharing and copying
Cleaning up
Various resources
Memory
Files
Global variables

46. 3. Error Handling Catch errors, don’t ignore them
“Print message and fail” is not always good
Especially in APIs
Need to allow programs to recover or save data
Detect at low level, but handle at high level
Generally, error should be handled by calling routine
The callee can leave things in a “nice” state for recovery, though
Keep things usable in case the caller can recover

47. API Design is HARD What is functionality to expose How to expose it
How best to expose it
How to adjust and improve

48. Client Considerations
URL Design
Plural nouns for collections
/dogs
ID for entity
/dogs/1234
Associations
/owners/5678/dogs
4 HTTP Methods
POST GET PUT DELETE
Bias toward concrete names
/dogs (not animals)
Multiple formats in URL
/dogs.json
/dogs.xml
Paginate with limit and offset
?limit=10&offset=0
Query params
?color=red&state=running
Partial selection
?fields=name,state
Use medial capitalization
"createdAt":
myObject.createdAt;
Use verbs for non-resource requests
/convert?from=EUR&to=CNY&amount=100
Search
/search?q=happy%2Blabrador
DNS
api.foo.com
developers.foo.com
Versioning
Include version in URL
/v1/dogs
Keep one previous version long enough for developers to migrate
/v2/dogs
Errors
8 Status Codes
Verbose messages
{"msg": "verbose, plain language hints"}
Client Considerations
Client does not support HTTP status codes
?suppress_response_codes=true
Client does not support HTTP methods
GET /dogs?method=post
GET /dogs
GET /dogs?method=put
GET /dogs?method=delete
Complement API with SDK and code libraries
1. JavaScript
2. …
3. …

49. #resource naming
Follow KISS principle Use nouns for resource names Use verbs actions
Constraints
The REST architectural style describes the following six constraints applied to the architecture, while leaving the implementation of the individual components free to design:
Client–server
A uniform interface separates clients from servers. This separation of concerns means that, for example, clients are not concerned with data storage, which remains internal to each server, so that the portability of client code is improved. Servers are not concerned with the user interface or user state, so that servers can be simpler and more scalable. Servers and clients may also be replaced and developed independently, as long as the interface between them is not altered.
Stateless
The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.
Cacheable
As on the World Wide Web, clients can cache responses. Responses must therefore, implicitly or explicitly, define themselves as cacheable, or not, to prevent clients reusing stale or inappropriate data in response to further requests. Well-managed caching partially or completely eliminates some client–server interactions, further improving scalability and performance.
Layered system
A client cannot ordinarily tell whether it is connected directly to the end server, or to an intermediary along the way. Intermediary servers may improve system scalability by enabling load-balancing and by providing shared caches. They may also enforce security policies.
Code on demand (optional)
Servers can temporarily extend or customize the functionality of a client by the transfer of executable code. Examples of this may include compiled components such as Java applets and client-side scripts such as JavaScript.
Uniform interface
The uniform interface between clients and servers, discussed below, simplifies and decouples the architecture, which enables each part to evolve independently. The four guiding principles of this interface are detailed below.
The only optional constraint of REST architecture is "code on demand". One can characterise applications conforming to the REST constraints described in this section as "RESTful".[8] If a service violates any of the required constraints, it cannot be considered RESTful.
Complying with these constraints, and thus conforming to the REST architectural-style, enables any kind of distributed hypermedia system to have desirable emergent properties, such as performance, scalability, simplicity, modifiability, visibility, portability, and reliability.

50. #resource naming 2 base urls: Collection (plural) /employees Resource
/employees/itramin

51. #resource naming
Use nouns for non-resource actions:
convert
calculate

52. #representation Request header: Content-type Extension Query param
application/json
application/xml
Extension
/employees.json
/employees.xml
/employees/itramin.json
/employees/itramin.xml
Query param
/employees/type=json
/employees/type=xml

53. #http methods
Create
Read
Update
Delete
POST
GET
PUT
DELETE

54. #http methods Resource POST Create GET Read PUT Update DELETE Delete
/employees
Create new emp
Return list of employees
Bulk update or
Error
Delete all employees
/employees/itramin
Not used
Return employee itramin
Update employee itramin
Delete emp itramin

55. #error handling
Error handling is very important for reliable and stable API.
Use appropriate HTTP status codes
Document success and error cases

56. #http status codes Group Comment 1xx Informational(100,101) 2xx
Success(200,201)
3xx
Redirect (301, 304)
4xx
Client error(401, 404, 405)
5xx
Server error(500, 503)
Request received, continuing process.[2]
This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line. Since HTTP/1.0 did not define any 1xx status codes, servers must not send a 1xx response to an HTTP/1.0 client except under experimental conditions.
100 Continue
This means that the server has received the request headers, and that the client should proceed to send the request body (in the case of a request for which a body needs to be sent; for example, a POST request). If the request body is large, sending it to a server when a request has already been rejected based upon inappropriate headers is inefficient. To have a server check if the request could be accepted based on the request's headers alone, a client must send Expect: 100-continue as a header in its initial request[2] and check if a 100 Continue status code is received in response before continuing (or receive 417 Expectation Failed and not continue).[2]
101 Switching Protocols
This means the requester has asked the server to switch protocols and the server is acknowledging that it will do so.[2]
102 Processing (WebDAV; RFC 2518)
As a WebDAV request may contain many sub-requests involving file operations, it may take a long time to complete the request. This code indicates that the server has received and is processing the request, but no response is available yet.[3] This prevents the client from timing out and assuming the request was lost.
2xx Success[edit]
This class of status codes indicates the action requested by the client was received, understood, accepted and processed successfully.
200 OK
Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.[2]
201 Created
The request has been fulfilled and resulted in a new resource being created.[2]
202 Accepted
The request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place.[2]
203 Non-Authoritative Information (since HTTP/1.1)
The server successfully processed the request, but is returning information that may be from another source.[2]
204 No Content
The server successfully processed the request, but is not returning any content.[2]
205 Reset Content
The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester reset the document view.[2]
206 Partial Content
The server is delivering only part of the resource due to a range header sent by the client. The range header is used by tools like wget to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.[2]
207 Multi-Status (WebDAV; RFC 4918)
The message body that follows is an XML message and can contain a number of separate response codes, depending on how many sub-requests were made.[4]
208 Already Reported (WebDAV; RFC 5842)
The members of a DAV binding have already been enumerated in a previous reply to this request, and are not being included again.
226 IM Used (RFC 3229)
The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.[5]
3xx Redirection[edit]
The client must take additional action to complete the request.[2]
This class of status code indicates that further action needs to be taken by the user agent to fulfil the request. The action required may be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD. A user agent should not automatically redirect a request more than five times, since such redirections usually indicate an infinite loop.
300 Multiple Choices
Indicates multiple options for the resource that the client may follow. It, for instance, could be used to present different format options for video, list files with different extensions, or word sense disambiguation.[2]
301 Moved Permanently
This and all future requests should be directed to the given URI.[2]
302 Found
This is an example of industry practice contradicting the standard.[2] The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily"),[6] but popular browsers implemented 302 with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours.[7] However, some Web applications and frameworks use the 302 status code as if it were the 303.[8]
303 See Other (since HTTP/1.1)
The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELETE), it should be assumed that the server has received the data and the redirect should be issued with a separate GET message.[2]
304 Not Modified
Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-Match.[2] This means that there is no need to retransmit the resource, since the client still has a previously-downloaded copy.
305 Use Proxy (since HTTP/1.1)
The requested resource is only available through a proxy, whose address is provided in the response.[2] Many HTTP clients (such as Mozilla[9] and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons.[citation needed]
306 Switch Proxy
No longer used.[2] Originally meant "Subsequent requests should use the specified proxy."[10]
307 Temporary Redirect (since HTTP/1.1)
In this case, the request should be repeated with another URI; however, future requests should still use the original URI.[2] In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request. For instance, a POST request should be repeated using another POST request.[11]
308 Permanent Redirect (approved as experimental RFC)[12]
The request, and all future requests should be repeated using another URI. 307 and 308 (as proposed) parallel the behaviours of 302 and 301, but do not allow the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly.
4xx Client Error[edit]
The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method. User agents should display any included entity to the user.
400 Bad Request
The request cannot be fulfilled due to bad syntax.[2]
401 Unauthorized
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.[2] The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.
402 Payment Required
Reserved for future use.[2] The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's defunct MobileMe service generated a 402 error if the MobileMe account was delinquent.[citation needed] In addition, YouTube uses this status if a particular IP address has made excessive requests, and requires the person to enter a CAPTCHA.
403 Forbidden
The request was a valid request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).
404 Not Found
The requested resource could not be found but may be available again in the future.[2] Subsequent requests by the client are permissible.
405 Method Not Allowed
A request was made of a resource using a request method not supported by that resource;[2] for example, using GET on a form which requires data to be presented via POST, or using PUT on a read-only resource.
406 Not Acceptable
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.[2]
407 Proxy Authentication Required
The client must first authenticate itself with the proxy.[2]
408 Request Timeout
The server timed out waiting for the request.[2] According to W3 HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."
409 Conflict
Indicates that the request could not be processed because of conflict in the request, such as an edit conflict.[2]
410 Gone
Indicates that the resource requested is no longer available and will not be available again.[2] This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource again in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead.
411 Length Required
The request did not specify the length of its content, which is required by the requested resource.[2]
412 Precondition Failed
The server does not meet one of the preconditions that the requester put on the request.[2]
413 Request Entity Too Large
The request is larger than the server is willing or able to process.[2]
414 Request-URI Too Long
The URI provided was too long for the server to process.[2]
415 Unsupported Media Type
The request entity has a media type which the server or resource does not support.[2] For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
416 Requested Range Not Satisfiable
The client has asked for a portion of the file, but the server cannot supply that portion.[2] For example, if the client asked for a part of the file that lies beyond the end of the file.[2]
417 Expectation Failed
The server cannot meet the requirements of the Expect request-header field.[2]
418 I'm a teapot (RFC 2324)
This code was defined in 1998 as one of the traditional IETF April Fools' jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol, and is not expected to be implemented by actual HTTP servers.
419 Authentication Timeout
Not a part of the HTTP standard, 419 Authentication Timeout denotes that previously valid authentication has expired. It is used as an alternative to 401 Unauthorized in order to differentiate from otherwise authenticated clients being denied access to specific server resources.
420 Enhance Your Calm (Twitter)
Not part of the HTTP standard, but returned by the Twitter Search and Trends API when the client is being rate limited.[13] Other services may wish to implement the 429 Too Many Requests response code instead.
422 Unprocessable Entity (WebDAV; RFC 4918)
The request was well-formed but was unable to be followed due to semantic errors.[4]
423 Locked (WebDAV; RFC 4918)
The resource that is being accessed is locked.[4]
424 Failed Dependency (WebDAV; RFC 4918)
The request failed due to failure of a previous request (e.g. a PROPPATCH).[4]
424 Method Failure (WebDAV)[14]
Indicates the method was not executed on a particular resource within its scope because some part of the method's execution failed causing the entire method to be aborted.
425 Unordered Collection (Internet draft)
Defined in drafts of "WebDAV Advanced Collections Protocol",[15] but not present in "Web Distributed Authoring and Versioning (WebDAV) Ordered Collections Protocol".[16]
426 Upgrade Required (RFC 2817)
The client should switch to a different protocol such as TLS/1.0.[17]
428 Precondition Required (RFC 6585)
The origin server requires the request to be conditional. Intended to prevent "the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict."[18]
429 Too Many Requests (RFC 6585)
The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes.[18]
431 Request Header Fields Too Large (RFC 6585)
The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large.[18]
444 No Response (Nginx)
Used in Nginx logs to indicate that the server has returned no information to the client and closed the connection (useful as a deterrent for malware).
449 Retry With (Microsoft)
A Microsoft extension. The request should be retried after performing the appropriate action.[19]
Often search-engines or custom applications will ignore required parameters. Where no default action is appropriate, the Aviongoo website sends a "HTTP/ Retry with valid parameters: param1, param2, . . ." response. The applications may choose to learn, or not.
450 Blocked by Windows Parental Controls (Microsoft)
A Microsoft extension. This error is given when Windows Parental Controls are turned on and are blocking access to the given webpage.[20]
451 Unavailable For Legal Reasons (Internet draft)
Defined in the internet draft "A New HTTP Status Code for Legally-restricted Resources".[21] Intended to be used when resource access is denied for legal reasons, e.g. censorship or government-mandated blocked access. A reference to the 1953 dystopian novel Fahrenheit 451, where books are outlawed.[22]
451 Redirect (Microsoft)
Used in Exchange ActiveSync if there either is a more efficient server to use or the server can't access the users' mailbox.[23]
The client is supposed to re-run the HTTP Autodiscovery protocol to find a better suited server.[24]
494 Request Header Too Large (Nginx)
Nginx internal code similar to 413 but it was introduced earlier.[25][original research?]
495 Cert Error (Nginx)
Nginx internal code used when SSL client certificate error occurred to distinguish it from 4XX in a log and an error page redirection.
496 No Cert (Nginx)
Nginx internal code used when client didn't provide certificate to distinguish it from 4XX in a log and an error page redirection.
497 HTTP to HTTPS (Nginx)
Nginx internal code used for the plain HTTP requests that are sent to HTTPS port to distinguish it from 4XX in a log and an error page redirection.
499 Client Closed Request (Nginx)
Used in Nginx logs to indicate when the connection has been closed by client while the server is still processing its request, making server unable to send a status code back.[26]
5xx Server Error[edit]
The server failed to fulfill an apparently valid request.[2]
Response status codes beginning with the digit "5" indicate cases in which the server is aware that it has encountered an error or is otherwise incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and indicate whether it is a temporary or permanent condition. Likewise, user agents should display any included entity to the user. These response codes are applicable to any request method.
500 Internal Server Error
A generic error message, given when no more specific message is suitable.[2]
501 Not Implemented
The server either does not recognize the request method, or it lacks the ability to fulfill the request.[2]
502 Bad Gateway
The server was acting as a gateway or proxy and received an invalid response from the upstream server.[2]
503 Service Unavailable
The server is currently unavailable (because it is overloaded or down for maintenance).[2] Generally, this is a temporary state.
504 Gateway Timeout
The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.[2]
505 HTTP Version Not Supported
The server does not support the HTTP protocol version used in the request.[2]
506 Variant Also Negotiates (RFC 2295)
Transparent content negotiation for the request results in a circular reference.[27]
507 Insufficient Storage (WebDAV; RFC 4918)
The server is unable to store the representation needed to complete the request.[4]
508 Loop Detected (WebDAV; RFC 5842)
The server detected an infinite loop while processing the request (sent in lieu of 208).
509 Bandwidth Limit Exceeded (Apache bw/limited extension)
This status code, while used by many servers, is not specified in any RFCs.
510 Not Extended (RFC 2774)
Further extensions to the request are required for the server to fulfil it.[28]
511 Network Authentication Required (RFC 6585)
The client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g. "captive portals" used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).[18]
598 Network read timeout error (Unknown)
This status code is not specified in any RFCs, but is used by Microsoft HTTP proxies to signal a network read timeout behind the proxy to a client in front of the proxy.[citation needed]
599 Network connect timeout error (Unknown)
This status code is not specified in any RFCs, but is used by Microsoft HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.[citation needed]

57. #error messages Consider the following: For user For developer
Unique error code
Link to documentation
Request received, continuing process.[2]
This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line. Since HTTP/1.0 did not define any 1xx status codes, servers must not send a 1xx response to an HTTP/1.0 client except under experimental conditions.
100 Continue
This means that the server has received the request headers, and that the client should proceed to send the request body (in the case of a request for which a body needs to be sent; for example, a POST request). If the request body is large, sending it to a server when a request has already been rejected based upon inappropriate headers is inefficient. To have a server check if the request could be accepted based on the request's headers alone, a client must send Expect: 100-continue as a header in its initial request[2] and check if a 100 Continue status code is received in response before continuing (or receive 417 Expectation Failed and not continue).[2]
101 Switching Protocols
This means the requester has asked the server to switch protocols and the server is acknowledging that it will do so.[2]
102 Processing (WebDAV; RFC 2518)
As a WebDAV request may contain many sub-requests involving file operations, it may take a long time to complete the request. This code indicates that the server has received and is processing the request, but no response is available yet.[3] This prevents the client from timing out and assuming the request was lost.
2xx Success[edit]
This class of status codes indicates the action requested by the client was received, understood, accepted and processed successfully.
200 OK
Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.[2]
201 Created
The request has been fulfilled and resulted in a new resource being created.[2]
202 Accepted
The request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place.[2]
203 Non-Authoritative Information (since HTTP/1.1)
The server successfully processed the request, but is returning information that may be from another source.[2]
204 No Content
The server successfully processed the request, but is not returning any content.[2]
205 Reset Content
The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester reset the document view.[2]
206 Partial Content
The server is delivering only part of the resource due to a range header sent by the client. The range header is used by tools like wget to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.[2]
207 Multi-Status (WebDAV; RFC 4918)
The message body that follows is an XML message and can contain a number of separate response codes, depending on how many sub-requests were made.[4]
208 Already Reported (WebDAV; RFC 5842)
The members of a DAV binding have already been enumerated in a previous reply to this request, and are not being included again.
226 IM Used (RFC 3229)
The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.[5]
3xx Redirection[edit]
The client must take additional action to complete the request.[2]
This class of status code indicates that further action needs to be taken by the user agent to fulfil the request. The action required may be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD. A user agent should not automatically redirect a request more than five times, since such redirections usually indicate an infinite loop.
300 Multiple Choices
Indicates multiple options for the resource that the client may follow. It, for instance, could be used to present different format options for video, list files with different extensions, or word sense disambiguation.[2]
301 Moved Permanently
This and all future requests should be directed to the given URI.[2]
302 Found
This is an example of industry practice contradicting the standard.[2] The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily"),[6] but popular browsers implemented 302 with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours.[7] However, some Web applications and frameworks use the 302 status code as if it were the 303.[8]
303 See Other (since HTTP/1.1)
The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELETE), it should be assumed that the server has received the data and the redirect should be issued with a separate GET message.[2]
304 Not Modified
Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-Match.[2] This means that there is no need to retransmit the resource, since the client still has a previously-downloaded copy.
305 Use Proxy (since HTTP/1.1)
The requested resource is only available through a proxy, whose address is provided in the response.[2] Many HTTP clients (such as Mozilla[9] and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons.[citation needed]
306 Switch Proxy
No longer used.[2] Originally meant "Subsequent requests should use the specified proxy."[10]
307 Temporary Redirect (since HTTP/1.1)
In this case, the request should be repeated with another URI; however, future requests should still use the original URI.[2] In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request. For instance, a POST request should be repeated using another POST request.[11]
308 Permanent Redirect (approved as experimental RFC)[12]
The request, and all future requests should be repeated using another URI. 307 and 308 (as proposed) parallel the behaviours of 302 and 301, but do not allow the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly.
4xx Client Error[edit]
The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method. User agents should display any included entity to the user.
400 Bad Request
The request cannot be fulfilled due to bad syntax.[2]
401 Unauthorized
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.[2] The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.
402 Payment Required
Reserved for future use.[2] The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's defunct MobileMe service generated a 402 error if the MobileMe account was delinquent.[citation needed] In addition, YouTube uses this status if a particular IP address has made excessive requests, and requires the person to enter a CAPTCHA.
403 Forbidden
The request was a valid request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).
404 Not Found
The requested resource could not be found but may be available again in the future.[2] Subsequent requests by the client are permissible.
405 Method Not Allowed
A request was made of a resource using a request method not supported by that resource;[2] for example, using GET on a form which requires data to be presented via POST, or using PUT on a read-only resource.
406 Not Acceptable
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.[2]
407 Proxy Authentication Required
The client must first authenticate itself with the proxy.[2]
408 Request Timeout
The server timed out waiting for the request.[2] According to W3 HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."
409 Conflict
Indicates that the request could not be processed because of conflict in the request, such as an edit conflict.[2]
410 Gone
Indicates that the resource requested is no longer available and will not be available again.[2] This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource again in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead.
411 Length Required
The request did not specify the length of its content, which is required by the requested resource.[2]
412 Precondition Failed
The server does not meet one of the preconditions that the requester put on the request.[2]
413 Request Entity Too Large
The request is larger than the server is willing or able to process.[2]
414 Request-URI Too Long
The URI provided was too long for the server to process.[2]
415 Unsupported Media Type
The request entity has a media type which the server or resource does not support.[2] For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
416 Requested Range Not Satisfiable
The client has asked for a portion of the file, but the server cannot supply that portion.[2] For example, if the client asked for a part of the file that lies beyond the end of the file.[2]
417 Expectation Failed
The server cannot meet the requirements of the Expect request-header field.[2]
418 I'm a teapot (RFC 2324)
This code was defined in 1998 as one of the traditional IETF April Fools' jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol, and is not expected to be implemented by actual HTTP servers.
419 Authentication Timeout
Not a part of the HTTP standard, 419 Authentication Timeout denotes that previously valid authentication has expired. It is used as an alternative to 401 Unauthorized in order to differentiate from otherwise authenticated clients being denied access to specific server resources.
420 Enhance Your Calm (Twitter)
Not part of the HTTP standard, but returned by the Twitter Search and Trends API when the client is being rate limited.[13] Other services may wish to implement the 429 Too Many Requests response code instead.
422 Unprocessable Entity (WebDAV; RFC 4918)
The request was well-formed but was unable to be followed due to semantic errors.[4]
423 Locked (WebDAV; RFC 4918)
The resource that is being accessed is locked.[4]
424 Failed Dependency (WebDAV; RFC 4918)
The request failed due to failure of a previous request (e.g. a PROPPATCH).[4]
424 Method Failure (WebDAV)[14]
Indicates the method was not executed on a particular resource within its scope because some part of the method's execution failed causing the entire method to be aborted.
425 Unordered Collection (Internet draft)
Defined in drafts of "WebDAV Advanced Collections Protocol",[15] but not present in "Web Distributed Authoring and Versioning (WebDAV) Ordered Collections Protocol".[16]
426 Upgrade Required (RFC 2817)
The client should switch to a different protocol such as TLS/1.0.[17]
428 Precondition Required (RFC 6585)
The origin server requires the request to be conditional. Intended to prevent "the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict."[18]
429 Too Many Requests (RFC 6585)
The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes.[18]
431 Request Header Fields Too Large (RFC 6585)
The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large.[18]
444 No Response (Nginx)
Used in Nginx logs to indicate that the server has returned no information to the client and closed the connection (useful as a deterrent for malware).
449 Retry With (Microsoft)
A Microsoft extension. The request should be retried after performing the appropriate action.[19]
Often search-engines or custom applications will ignore required parameters. Where no default action is appropriate, the Aviongoo website sends a "HTTP/ Retry with valid parameters: param1, param2, . . ." response. The applications may choose to learn, or not.
450 Blocked by Windows Parental Controls (Microsoft)
A Microsoft extension. This error is given when Windows Parental Controls are turned on and are blocking access to the given webpage.[20]
451 Unavailable For Legal Reasons (Internet draft)
Defined in the internet draft "A New HTTP Status Code for Legally-restricted Resources".[21] Intended to be used when resource access is denied for legal reasons, e.g. censorship or government-mandated blocked access. A reference to the 1953 dystopian novel Fahrenheit 451, where books are outlawed.[22]
451 Redirect (Microsoft)
Used in Exchange ActiveSync if there either is a more efficient server to use or the server can't access the users' mailbox.[23]
The client is supposed to re-run the HTTP Autodiscovery protocol to find a better suited server.[24]
494 Request Header Too Large (Nginx)
Nginx internal code similar to 413 but it was introduced earlier.[25][original research?]
495 Cert Error (Nginx)
Nginx internal code used when SSL client certificate error occurred to distinguish it from 4XX in a log and an error page redirection.
496 No Cert (Nginx)
Nginx internal code used when client didn't provide certificate to distinguish it from 4XX in a log and an error page redirection.
497 HTTP to HTTPS (Nginx)
Nginx internal code used for the plain HTTP requests that are sent to HTTPS port to distinguish it from 4XX in a log and an error page redirection.
499 Client Closed Request (Nginx)
Used in Nginx logs to indicate when the connection has been closed by client while the server is still processing its request, making server unable to send a status code back.[26]
5xx Server Error[edit]
The server failed to fulfill an apparently valid request.[2]
Response status codes beginning with the digit "5" indicate cases in which the server is aware that it has encountered an error or is otherwise incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and indicate whether it is a temporary or permanent condition. Likewise, user agents should display any included entity to the user. These response codes are applicable to any request method.
500 Internal Server Error
A generic error message, given when no more specific message is suitable.[2]
501 Not Implemented
The server either does not recognize the request method, or it lacks the ability to fulfill the request.[2]
502 Bad Gateway
The server was acting as a gateway or proxy and received an invalid response from the upstream server.[2]
503 Service Unavailable
The server is currently unavailable (because it is overloaded or down for maintenance).[2] Generally, this is a temporary state.
504 Gateway Timeout
The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.[2]
505 HTTP Version Not Supported
The server does not support the HTTP protocol version used in the request.[2]
506 Variant Also Negotiates (RFC 2295)
Transparent content negotiation for the request results in a circular reference.[27]
507 Insufficient Storage (WebDAV; RFC 4918)
The server is unable to store the representation needed to complete the request.[4]
508 Loop Detected (WebDAV; RFC 5842)
The server detected an infinite loop while processing the request (sent in lieu of 208).
509 Bandwidth Limit Exceeded (Apache bw/limited extension)
This status code, while used by many servers, is not specified in any RFCs.
510 Not Extended (RFC 2774)
Further extensions to the request are required for the server to fulfil it.[28]
511 Network Authentication Required (RFC 6585)
The client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g. "captive portals" used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).[18]
598 Network read timeout error (Unknown)
This status code is not specified in any RFCs, but is used by Microsoft HTTP proxies to signal a network read timeout behind the proxy to a client in front of the proxy.[citation needed]
599 Network connect timeout error (Unknown)
This status code is not specified in any RFCs, but is used by Microsoft HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.[citation needed]

58. #error messages
{ userMessage:”Show this error to user”, devMessage:”Detailed error for developer”, “errorCode”: 12345, “doc”:” }
Request received, continuing process.[2]
This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line. Since HTTP/1.0 did not define any 1xx status codes, servers must not send a 1xx response to an HTTP/1.0 client except under experimental conditions.
100 Continue
This means that the server has received the request headers, and that the client should proceed to send the request body (in the case of a request for which a body needs to be sent; for example, a POST request). If the request body is large, sending it to a server when a request has already been rejected based upon inappropriate headers is inefficient. To have a server check if the request could be accepted based on the request's headers alone, a client must send Expect: 100-continue as a header in its initial request[2] and check if a 100 Continue status code is received in response before continuing (or receive 417 Expectation Failed and not continue).[2]
101 Switching Protocols
This means the requester has asked the server to switch protocols and the server is acknowledging that it will do so.[2]
102 Processing (WebDAV; RFC 2518)
As a WebDAV request may contain many sub-requests involving file operations, it may take a long time to complete the request. This code indicates that the server has received and is processing the request, but no response is available yet.[3] This prevents the client from timing out and assuming the request was lost.
2xx Success[edit]
This class of status codes indicates the action requested by the client was received, understood, accepted and processed successfully.
200 OK
Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.[2]
201 Created
The request has been fulfilled and resulted in a new resource being created.[2]
202 Accepted
The request has been accepted for processing, but the processing has not been completed. The request might or might not eventually be acted upon, as it might be disallowed when processing actually takes place.[2]
203 Non-Authoritative Information (since HTTP/1.1)
The server successfully processed the request, but is returning information that may be from another source.[2]
204 No Content
The server successfully processed the request, but is not returning any content.[2]
205 Reset Content
The server successfully processed the request, but is not returning any content. Unlike a 204 response, this response requires that the requester reset the document view.[2]
206 Partial Content
The server is delivering only part of the resource due to a range header sent by the client. The range header is used by tools like wget to enable resuming of interrupted downloads, or split a download into multiple simultaneous streams.[2]
207 Multi-Status (WebDAV; RFC 4918)
The message body that follows is an XML message and can contain a number of separate response codes, depending on how many sub-requests were made.[4]
208 Already Reported (WebDAV; RFC 5842)
The members of a DAV binding have already been enumerated in a previous reply to this request, and are not being included again.
226 IM Used (RFC 3229)
The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.[5]
3xx Redirection[edit]
The client must take additional action to complete the request.[2]
This class of status code indicates that further action needs to be taken by the user agent to fulfil the request. The action required may be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD. A user agent should not automatically redirect a request more than five times, since such redirections usually indicate an infinite loop.
300 Multiple Choices
Indicates multiple options for the resource that the client may follow. It, for instance, could be used to present different format options for video, list files with different extensions, or word sense disambiguation.[2]
301 Moved Permanently
This and all future requests should be directed to the given URI.[2]
302 Found
This is an example of industry practice contradicting the standard.[2] The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily"),[6] but popular browsers implemented 302 with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours.[7] However, some Web applications and frameworks use the 302 status code as if it were the 303.[8]
303 See Other (since HTTP/1.1)
The response to the request can be found under another URI using a GET method. When received in response to a POST (or PUT/DELETE), it should be assumed that the server has received the data and the redirect should be issued with a separate GET message.[2]
304 Not Modified
Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-Match.[2] This means that there is no need to retransmit the resource, since the client still has a previously-downloaded copy.
305 Use Proxy (since HTTP/1.1)
The requested resource is only available through a proxy, whose address is provided in the response.[2] Many HTTP clients (such as Mozilla[9] and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons.[citation needed]
306 Switch Proxy
No longer used.[2] Originally meant "Subsequent requests should use the specified proxy."[10]
307 Temporary Redirect (since HTTP/1.1)
In this case, the request should be repeated with another URI; however, future requests should still use the original URI.[2] In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request. For instance, a POST request should be repeated using another POST request.[11]
308 Permanent Redirect (approved as experimental RFC)[12]
The request, and all future requests should be repeated using another URI. 307 and 308 (as proposed) parallel the behaviours of 302 and 301, but do not allow the HTTP method to change. So, for example, submitting a form to a permanently redirected resource may continue smoothly.
4xx Client Error[edit]
The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method. User agents should display any included entity to the user.
400 Bad Request
The request cannot be fulfilled due to bad syntax.[2]
401 Unauthorized
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.[2] The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication.
402 Payment Required
Reserved for future use.[2] The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's defunct MobileMe service generated a 402 error if the MobileMe account was delinquent.[citation needed] In addition, YouTube uses this status if a particular IP address has made excessive requests, and requires the person to enter a CAPTCHA.
403 Forbidden
The request was a valid request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).
404 Not Found
The requested resource could not be found but may be available again in the future.[2] Subsequent requests by the client are permissible.
405 Method Not Allowed
A request was made of a resource using a request method not supported by that resource;[2] for example, using GET on a form which requires data to be presented via POST, or using PUT on a read-only resource.
406 Not Acceptable
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.[2]
407 Proxy Authentication Required
The client must first authenticate itself with the proxy.[2]
408 Request Timeout
The server timed out waiting for the request.[2] According to W3 HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."
409 Conflict
Indicates that the request could not be processed because of conflict in the request, such as an edit conflict.[2]
410 Gone
Indicates that the resource requested is no longer available and will not be available again.[2] This should be used when a resource has been intentionally removed and the resource should be purged. Upon receiving a 410 status code, the client should not request the resource again in the future. Clients such as search engines should remove the resource from their indices. Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead.
411 Length Required
The request did not specify the length of its content, which is required by the requested resource.[2]
412 Precondition Failed
The server does not meet one of the preconditions that the requester put on the request.[2]
413 Request Entity Too Large
The request is larger than the server is willing or able to process.[2]
414 Request-URI Too Long
The URI provided was too long for the server to process.[2]
415 Unsupported Media Type
The request entity has a media type which the server or resource does not support.[2] For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
416 Requested Range Not Satisfiable
The client has asked for a portion of the file, but the server cannot supply that portion.[2] For example, if the client asked for a part of the file that lies beyond the end of the file.[2]
417 Expectation Failed
The server cannot meet the requirements of the Expect request-header field.[2]
418 I'm a teapot (RFC 2324)
This code was defined in 1998 as one of the traditional IETF April Fools' jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol, and is not expected to be implemented by actual HTTP servers.
419 Authentication Timeout
Not a part of the HTTP standard, 419 Authentication Timeout denotes that previously valid authentication has expired. It is used as an alternative to 401 Unauthorized in order to differentiate from otherwise authenticated clients being denied access to specific server resources.
420 Enhance Your Calm (Twitter)
Not part of the HTTP standard, but returned by the Twitter Search and Trends API when the client is being rate limited.[13] Other services may wish to implement the 429 Too Many Requests response code instead.
422 Unprocessable Entity (WebDAV; RFC 4918)
The request was well-formed but was unable to be followed due to semantic errors.[4]
423 Locked (WebDAV; RFC 4918)
The resource that is being accessed is locked.[4]
424 Failed Dependency (WebDAV; RFC 4918)
The request failed due to failure of a previous request (e.g. a PROPPATCH).[4]
424 Method Failure (WebDAV)[14]
Indicates the method was not executed on a particular resource within its scope because some part of the method's execution failed causing the entire method to be aborted.
425 Unordered Collection (Internet draft)
Defined in drafts of "WebDAV Advanced Collections Protocol",[15] but not present in "Web Distributed Authoring and Versioning (WebDAV) Ordered Collections Protocol".[16]
426 Upgrade Required (RFC 2817)
The client should switch to a different protocol such as TLS/1.0.[17]
428 Precondition Required (RFC 6585)
The origin server requires the request to be conditional. Intended to prevent "the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict."[18]
429 Too Many Requests (RFC 6585)
The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes.[18]
431 Request Header Fields Too Large (RFC 6585)
The server is unwilling to process the request because either an individual header field, or all the header fields collectively, are too large.[18]
444 No Response (Nginx)
Used in Nginx logs to indicate that the server has returned no information to the client and closed the connection (useful as a deterrent for malware).
449 Retry With (Microsoft)
A Microsoft extension. The request should be retried after performing the appropriate action.[19]
Often search-engines or custom applications will ignore required parameters. Where no default action is appropriate, the Aviongoo website sends a "HTTP/ Retry with valid parameters: param1, param2, . . ." response. The applications may choose to learn, or not.
450 Blocked by Windows Parental Controls (Microsoft)
A Microsoft extension. This error is given when Windows Parental Controls are turned on and are blocking access to the given webpage.[20]
451 Unavailable For Legal Reasons (Internet draft)
Defined in the internet draft "A New HTTP Status Code for Legally-restricted Resources".[21] Intended to be used when resource access is denied for legal reasons, e.g. censorship or government-mandated blocked access. A reference to the 1953 dystopian novel Fahrenheit 451, where books are outlawed.[22]
451 Redirect (Microsoft)
Used in Exchange ActiveSync if there either is a more efficient server to use or the server can't access the users' mailbox.[23]
The client is supposed to re-run the HTTP Autodiscovery protocol to find a better suited server.[24]
494 Request Header Too Large (Nginx)
Nginx internal code similar to 413 but it was introduced earlier.[25][original research?]
495 Cert Error (Nginx)
Nginx internal code used when SSL client certificate error occurred to distinguish it from 4XX in a log and an error page redirection.
496 No Cert (Nginx)
Nginx internal code used when client didn't provide certificate to distinguish it from 4XX in a log and an error page redirection.
497 HTTP to HTTPS (Nginx)
Nginx internal code used for the plain HTTP requests that are sent to HTTPS port to distinguish it from 4XX in a log and an error page redirection.
499 Client Closed Request (Nginx)
Used in Nginx logs to indicate when the connection has been closed by client while the server is still processing its request, making server unable to send a status code back.[26]
5xx Server Error[edit]
The server failed to fulfill an apparently valid request.[2]
Response status codes beginning with the digit "5" indicate cases in which the server is aware that it has encountered an error or is otherwise incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and indicate whether it is a temporary or permanent condition. Likewise, user agents should display any included entity to the user. These response codes are applicable to any request method.
500 Internal Server Error
A generic error message, given when no more specific message is suitable.[2]
501 Not Implemented
The server either does not recognize the request method, or it lacks the ability to fulfill the request.[2]
502 Bad Gateway
The server was acting as a gateway or proxy and received an invalid response from the upstream server.[2]
503 Service Unavailable
The server is currently unavailable (because it is overloaded or down for maintenance).[2] Generally, this is a temporary state.
504 Gateway Timeout
The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.[2]
505 HTTP Version Not Supported
The server does not support the HTTP protocol version used in the request.[2]
506 Variant Also Negotiates (RFC 2295)
Transparent content negotiation for the request results in a circular reference.[27]
507 Insufficient Storage (WebDAV; RFC 4918)
The server is unable to store the representation needed to complete the request.[4]
508 Loop Detected (WebDAV; RFC 5842)
The server detected an infinite loop while processing the request (sent in lieu of 208).
509 Bandwidth Limit Exceeded (Apache bw/limited extension)
This status code, while used by many servers, is not specified in any RFCs.
510 Not Extended (RFC 2774)
Further extensions to the request are required for the server to fulfil it.[28]
511 Network Authentication Required (RFC 6585)
The client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network (e.g. "captive portals" used to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).[18]
598 Network read timeout error (Unknown)
This status code is not specified in any RFCs, but is used by Microsoft HTTP proxies to signal a network read timeout behind the proxy to a client in front of the proxy.[citation needed]
599 Network connect timeout error (Unknown)
This status code is not specified in any RFCs, but is used by Microsoft HTTP proxies to signal a network connect timeout behind the proxy to a client in front of the proxy.[citation needed]

59. #version management Consider versioning during design, no later
Consider support for multiple client
3 general practice:
Part of url
Request param
Request header

60. #version management Part of url Request header
api.azercell.com/azimus/v1/employees
api.azercell.com/azimus/ /employees
Request header
Content-Type: application/json;v=1
Query param – overrides header
?v=1

61. #paging
It is bad idea to return all resources in database, so use paging
Query parameter
Request/response headers

62. #paging Query parameter: Facebook - limit, offset
Twitter – page, rpp(records per page)
LinkedIn – start, count
Consider reasonable default values such as limit=20, offset=0

63. #paging Request header Response header Range: items=0-19
Content-Range: items 0-19/152
Content-Range: items 0-19/*

64. #search&filter&sort Search /employees?q=ramin – (default json)
/employees.xml?q=ramin
Filter
/employees?filter=“name::ramin|department=ICT”
/employees?name=ramin&department=ICT
Sort
/employees?sort=name|surname
/employees?sort=-salary|name

65. #security Authentication Authorization HTTP Basic authentication + SSL
API token,key
Custom authentication mechanism
Authorization
Oauth 1.0
Oauth 2.0
Custom mechanism
Amazon AWS Identity and Access Management
PayPal Permissions Service
Your own homegrown api

66. #security HTTP Basic authentication + SSL GET /employees/ HTTP/1.1
Host:
Authorization: Basic cGhvdG9hcHAuMDAxOmJhc2ljYXV0aA==

67. #cache&scalability Carefully implement caching HTTP/1.1 200 OK
Date: Sat, 06 Jul :56:14 GMT
Last-Modified: Sat, 06 Jul :56:14 GMT
Expires: Sun, 06 Jul :56:14 GMT
Cache-Control: max-age=3600,must-revalidate
Content-Type: application/xml; charset=UTF-8

68. REST API with PHP Microframework
BulletPHP
Fat-Free Framework
Limonade
Lumen
Phalcon
Recess PHP
Silex
Slim
Tonic
The One Framework
Wave Framework
Zaphpa

69. REST API with Java Microframework
Dropwizard
Jersey
Ninja Web Framework
Play Framework
RestExpress
Restlet
Restx
Spark Framework

70. API Design and Database for Demo

71. REST API for Student Quiz
GET /students
GET /students/:id
GET /students/count
POST /students
PUT /students/:id
DELETE /students/:id
GET /quiz
GET /quiz/:id
GET /quiz/count
POST /quiz
PUT /quiz/:id
DELETE /quiz/:id
GET /scores
GET /scores/:id
GET /scores/quiz/:id
GET /scores/quiz/:id/max
GET /scores/quiz/:id/min
GET /scores/quiz/:id/avg
GET /scores/student/:id/total
POST /scores
PUT /scores/:id
DELETE /scores/:id

72. Database students ======== std_id int pk std_name varchar(50) quiz
quiz_id int auto pk
quiz_name varchar(50)
scores
======
scr_id int auto pk
std_id int fk
quiz_id int fk
scr_score decimal(10,2)

73. Writing a RESTful Web Service with Slim

74. How to install and Using Slim Framework
$ composer require slim/slim:~2.0
$app = new \Slim\Slim();
$app->get('/hello/:name', function ($name) {
echo "Hello, " . $name;
});
$app->run();

75. Writing a RESTful Web Service with Node.JS

76. What is Node.JS
As an asynchronous event driven framework, Node.js is designed to build scalable network applications.

77. How to install and Using Node.JS

78. How to install and Using Node.JS
Create project directory and create package.json {
"name": "RESTful-API",
"version": "0.0.1",
"scripts": {
"start": "node Server.js" },
"dependencies": {
"express": "~4.12.2",
"mysql": "~2.5.5",
"body-parser": "~1.12.0",
"MD5": "~1.2.1" }
Run npm install

79. How to install and Using Node.JS
// server.js
// BASE SETUP
// =============================================================================
// call the packages we need
var express = require('express'); // call express
var app = express(); // define our app using express
var bodyParser = require('body-parser'); // configure app to use bodyParser()
// this will let us get the data from a POST
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
var port = process.env.PORT || 8080; // set our port
// ROUTES FOR OUR API
var router = express.Router(); // get an instance of the express Router
// test route to make sure everything is working (accessed at GET
router.get('/', function(req, res) {
res.json({ message: 'hooray! welcome to our api!' });
});
// more routes for our API will happen here
// REGISTER OUR ROUTES
// all of our routes will be prefixed with /api
app.use('/api', router);
// START THE SERVER
app.listen(port); console.log('Magic happens on port ' + port);

80. How to install and Using Node.JS
// server.js
var express = require('express');
var app = express();
var bodyParser = require('body-parser');
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
var port = process.env.PORT || 8080;
var router = express.Router();
router.get('/', function(req, res) {
res.json({ message: 'hooray! welcome to our api!' });
});
app.use('/api', router);
app.listen(port);
console.log('Magic happens on port ' + port);

81. Demo