Most appropriate HTTP code to issue a warning about insecure content

Question 1

Most people as they surf the web would get a warning by their browser if they approach a website with an SSL certificate issued by an unnknown authority, or even known as malicious place.

Now, thousands of developers - over 80% of Java related projects using Maven Central - download software components known to have vulnerabilties, sometimes there are even judicial conseqences.

Then, I thought to discuss a plugin for a binary repository coupled with the NVD database to issue a warning HTTP header if a client requests a component with a known vulnerability.

Which HTTP code is to use for that - if a non-opiniated option is anyhow possible? I fail to identify it myself in the list of known codes.

UPD the answer of the server is basically file download, if this happens you see Maven log like "download ok" and if this is not ok, the build would break. So search for a "soft" method to filter out problematic resources.

Question 2

If the purpose of your webserver is to tell that some resource should not be used because deemed insecure, why not sending 404? Or even the stronger 410.

If the purpose is instead to deliver the resource but at the same time to warn about some insecure situation, I do not believe you can do that with an HTTP header.

But if you want to deliver useful detailed messages to the client, you should reply 200 with the body being a JSON document or something like that coding for all messages you want to give the client.

Question 3

Hi, Patrick, thanks - given that the client is headless I can't display anything.

Question 4

So you are either strict and deny the access completely (404, 410, etc.) or you want/need to be nicer and then just let the access pass through but you record this "insecure delivery" in your log files on the server side and then act on it in some way out of band. You could also add any X-Something HTTP header (while it is a little frowned upon) in your reply, but then if the client does nothing with them it is pointless.

score 3 · Answer 1 · 2018-03-05 15:16:54Z

If the purpose of your webserver is to tell that some resource should not be used because deemed insecure, why not sending 404? Or even the stronger 410.

If the purpose is instead to deliver the resource but at the same time to warn about some insecure situation, I do not believe you can do that with an HTTP header.

But if you want to deliver useful detailed messages to the client, you should reply 200 with the body being a JSON document or something like that coding for all messages you want to give the client.

Hi, Patrick, thanks - given that the client is headless I can't display anything.
So you are either strict and deny the access completely (404, 410, etc.) or you want/need to be nicer and then just let the access pass through but you record this "insecure delivery" in your log files on the server side and then act on it in some way out of band. You could also add any X-Something HTTP header (while it is a little frowned upon) in your reply, but then if the client does nothing with them it is pointless.

Stack Exchange Network

Most appropriate HTTP code to issue a warning about insecure content

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

Most appropriate HTTP code to issue a warning about insecure content

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions