HTTP Response for PUT vs POST
William Reade
william.reade at canonical.com
Thu May 29 11:25:10 UTC 2014
+1. I think that the only information that leaks is information about the
implementation, that can be inferred by reading the source anyway, right?
On Thu, May 29, 2014 at 1:14 PM, John Meinel <john at arbash-meinel.com> wrote:
> We currently have a test that we get 401 Unauthorized when you try to do a
> PUT instead of a POST for stuff like trying to push up Tools, etc.
>
> However, HTTP Spec seems to have a 405 Method Not Allowed, which is meant
> to handle this case of PUT isn't allowed, but POST would be.
>
> I'm looking into changing our Mux layer, to one that separately handles
> PUT from POST and will give us 405 codes "for free".
>
> I just wanted to check that it is probably a good idea to conform more to
> the spec, and be returning 405, I'm guessing 401 here was just because that
> was what we had on hand.
>
> The current way actually checks for POST before checking the
> Authorization, so an invalid Auth'd PUT would return a 405 rather than 401,
> but that doesn't seem like bad information leakage.
>
> Is that ok?
>
> John
> =:->
>
> --
> Juju-dev mailing list
> Juju-dev at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20140529/e6172b4b/attachment.html>
More information about the Juju-dev
mailing list