HTTP status code for “EULA not accepted”?

4
votes

I have a RESTful web service which requires an end-user license agreement (EULA) to be accepted before it can be used.

Which HTTP status code would be most appropriate for the web service to return if the EULA has not (yet) been accepted?

Currently I see the following possibilities (my current favorite in bold):

  • 403 Forbidden
  • 412 Precondition Failed
  • 417 Expectation Failed
  • 423 Locked
  • 428 Precondition Required#
  • 451 Unavailable For Legal Reasons
3
resthttphttp-status-codes
So, just pick any. What's your question? :) For picking the "most appropriate" status code you can list all conditions for which you can send them, and cross any of your list whose requirements don't match your scenario.CodeCaster
I see there's a few close votes. Apparently this is considered an opinion-driven question which surprises me - is it really just my personal taste? After all HTTP status codes are standardized, so would it be ok if I chose e.g. 404 to signal the EULA issue, even if everybody seeing that status code would immediately think the requested resource is not there?Alexander Tobias Bockstaller
It's not that the question is opinion-based, but that as currently stated it attracts opinion-based answers rather than answers based on facts. This is inherent to questions about "Which HTTP status code to use for arbitrary situation X", because people don't bother to read the RFCs. You should be able to do that just fine as I indicated in my previous comment. List the candidate codes and eliminate any whose conditions your situation does not match.CodeCaster
I like 451 too, thanks, it's my new favorite http status code :) However, I think 403 is more appropriate. According to RFC 7725 The use of the 451 status code implies neither the existence nor nonexistence of the resource named in the request. That is to say, it is possible that if the legal demands were removed, a request for the resource still might not succeed. tools.ietf.org/html/rfc7725 In other words, it's more like a 404 "this doesn't exist," whereas what you really want to say is "it's there, but I'm not letting you see it."stephan.com

3 Answers

3
votes

As suggested by CodeCaster I went to w3.org and looked at the definitions of HTTP Status Codes in RFC2616. I found Status Code 403 to be most appropriate:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

0
votes

Messages should be self explanatory, my vote also for 412 Precondition Failed.

0
votes

401 Unauthorized

As George Clooney would say: "What else!". You authorize people accessing your service after they agree with the EULA. They didn't do that, so they aren't authorized (to be compliant with the RFC, authenticating and retrying clients would have to include the WWW-Authenticate header, but you must somehow provide that information anyway, and this way is just as good as any other way).

On a different thought, you could just as well return 301 pointing to the agreement page. The reasoning behind that approach would be that 4xx codes signal an error condition. However, not having agreed to the EULA yet is (other than a failed authentication) not really an error condition.
It's preventing the service from being used, yes... but everything is "working fine".