I had a discussion with one of my reports today about HTTP response codes that really got me thinking. It stemmed from a code review (they're essential!), and the crux of the question is: Why bother writing additional code to use 401: Unauthorized
in place of the generic 400: Bad Request
if the application behaves the exact same way regardless?
They're useful for clients, but what if we're the client?
Notably, this discussion is within a full stack web development context. We are developing both 1) a backend API and 2) the frontend web page consuming it. Thus, we can be reasonably sure that the people troubleshooting a problem have other means of tracking down the issue. Also, we can be reasonably sure that few (probably none) of our users will even see the response code, much less care which 400-level one is returned. So it simply doesn't matter! Right? I wanted to give a better answer than "That's just how it's done!" so I decided to do some research to see what the ✨experts✨ think.
It wasn't very easy to find opinions coming from a distinctly full stack viewpoint, but after reading a few well-informed articles, here are the takeaways which I think apply here.
My informed opinion is forming:
Even with a plain-English error message, an appropriate response code will probably boost our troubleshooting speed.
Everywhere you look (🎶Everywhere you go🎵), HTTP response codes are described as standard, essential, and even "crucial" for web applications. We follow standards for code style, so why wouldn't we follow this standard?
The browser itself can potentially handle the request differently based on the response code, so it's not necessarily relevant whether your client-side code would handle the response differently.
And here's the bottom line- correct response codes are a clear best practice for RESTful API development, and as full stack developers, we should still build solid APIs even though we're our own client.
What are your thoughts? How important are precise HTTP status codes when the same party owns both client-side and server-side code?
P.S. One day, I'll find an appropriate place to put 418: I'm a teapot
into production code.